cleankey.c

   1 /*
   2  * cleankey.c - Routines to look for common key problems and clean them up.
   3  *
   4  * Copyright 2004,2012 Jonathan McDowell <noodles@earth.li>
   5  *
   6  * This program is free software: you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License as published by the Free
   8  * Software Foundation; version 2 of the License.
   9  *
  10  * This program is distributed in the hope that it will be useful, but WITHOUT
  11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  12  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
  13  * more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along with
  16  * this program; if not, write to the Free Software Foundation, Inc., 51
  17  * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  */
  19
  20 #include <stdbool.h>
  21 #include <stdio.h>
  22 #include <stdlib.h>
  23
  24 #include "cleankey.h"
  25 #include "keyid.h"
  26 #include "keystructs.h"
  27 #include "log.h"
  28 #include "mem.h"
  29 #include "merge.h"
  30 #include "onak-conf.h"
  31 #include "sigcheck.h"
  32
  33 /**
  34  *      dedupuids - Merge duplicate uids on a key.
  35  *      @key: The key to de-dup uids on.
  36  *
  37  *      This function attempts to merge duplicate IDs on a key. It returns 0
  38  *      if the key is unchanged, otherwise the number of dups merged.
  39  */
  40 int dedupuids(struct openpgp_publickey *key)
  41 {
  42         struct openpgp_signedpacket_list *curuid = NULL;
  43         struct openpgp_signedpacket_list *dup = NULL;
  44         struct openpgp_signedpacket_list *tmp = NULL;
  45         int                               merged = 0;
  46
  47         log_assert(key != NULL);
  48         curuid = key->uids;
  49         while (curuid != NULL) {
  50                 dup = find_signed_packet(curuid->next, curuid->packet);
  51                 while (dup != NULL) {
  52                         logthing(LOGTHING_INFO, "Found duplicate uid: %.*s",
  53                                         curuid->packet->length,
  54                                         curuid->packet->data);
  55                         merged++;
  56                         merge_packet_sigs(curuid, dup);
  57                         /*
  58                          * Remove the duplicate uid.
  59                          */
  60                         tmp = curuid;
  61                         while (tmp != NULL && tmp->next != dup) {
  62                                 tmp = tmp->next;
  63                         }
  64                         log_assert(tmp != NULL);
  65                         tmp->next = dup->next;
  66                         dup->next = NULL;
  67                         free_signedpacket_list(dup);
  68
  69                         dup = find_signed_packet(curuid->next, curuid->packet);
  70                 }
  71                 curuid = curuid->next;
  72         }
  73
  74         return merged;
  75 }
  76
  77 /**
  78  *      dedupsubkeys - Merge duplicate subkeys on a key.
  79  *      @key: The key to de-dup subkeys on.
  80  *
  81  *      This function attempts to merge duplicate subkeys on a key. It returns
  82  *      0 if the key is unchanged, otherwise the number of dups merged.
  83  */
  84 int dedupsubkeys(struct openpgp_publickey *key)
  85 {
  86         struct openpgp_signedpacket_list *cursubkey = NULL;
  87         struct openpgp_signedpacket_list *dup = NULL;
  88         struct openpgp_signedpacket_list *tmp = NULL;
  89         int                               merged = 0;
  90         uint64_t                          subkeyid;
  91
  92         log_assert(key != NULL);
  93         cursubkey = key->subkeys;
  94         while (cursubkey != NULL) {
  95                 dup = find_signed_packet(cursubkey->next, cursubkey->packet);
  96                 while (dup != NULL) {
  97                         get_packetid(cursubkey->packet, &subkeyid);
  98                         logthing(LOGTHING_INFO,
  99                                 "Found duplicate subkey: 0x%016" PRIX64,
 100                                 subkeyid);
 101                         merged++;
 102                         merge_packet_sigs(cursubkey, dup);
 103                         /*
 104                          * Remove the duplicate uid.
 105                          */
 106                         tmp = cursubkey;
 107                         while (tmp != NULL && tmp->next != dup) {
 108                                 tmp = tmp->next;
 109                         }
 110                         log_assert(tmp != NULL);
 111                         tmp->next = dup->next;
 112                         dup->next = NULL;
 113                         free_signedpacket_list(dup);
 114
 115                         dup = find_signed_packet(cursubkey->next,
 116                                 cursubkey->packet);
 117                 }
 118                 cursubkey = cursubkey->next;
 119         }
 120
 121         return merged;
 122 }
 123
 124 /**
 125  *      check_sighashes - Check that sig hashes are correct.
 126  *      @key - the check to check the sig hashes of.
 127  *
 128  *      Given an OpenPGP key confirm that all of the sigs on it have the
 129  *      appropriate 2 octet hash beginning, as stored as part of the sig.
 130  *      This is a simple way to remove junk sigs and, for example, catches
 131  *      subkey sig corruption as produced by old pksd implementations.
 132  *      Any sig that has an incorrect hash is removed from the key. If the
 133  *      hash cannot be checked (eg we don't support that hash type) we err
 134  *      on the side of caution and keep it.
 135  */
 136 int clean_sighashes(struct openpgp_publickey *key,
 137                 struct openpgp_packet *sigdata,
 138                 struct openpgp_packet_list **sigs)
 139 {
 140         struct openpgp_packet_list *tmpsig;
 141         int removed = 0;
 142
 143         while (*sigs != NULL) {
 144                 if (check_packet_sighash(key, sigdata, (*sigs)->packet) == 0) {
 145                         tmpsig = *sigs;
 146                         *sigs = (*sigs)->next;
 147                         tmpsig->next = NULL;
 148                         free_packet_list(tmpsig);
 149                         removed++;
 150                 } else {
 151                         sigs = &(*sigs)->next;
 152                 }
 153         }
 154
 155         return removed;
 156 }
 157
 158 int clean_list_sighashes(struct openpgp_publickey *key,
 159                         struct openpgp_signedpacket_list *siglist)
 160 {
 161         int removed = 0;
 162
 163         while (siglist != NULL) {
 164                 removed += clean_sighashes(key, siglist->packet,
 165                         &siglist->sigs);
 166                 siglist = siglist->next;
 167         }
 168
 169         return removed;
 170 }
 171
 172 int clean_key_sighashes(struct openpgp_publickey *key)
 173 {
 174         int removed;
 175
 176         removed = clean_sighashes(key, NULL, &key->sigs);
 177         removed += clean_list_sighashes(key, key->uids);
 178         removed += clean_list_sighashes(key, key->subkeys);
 179
 180         return removed;
 181 }
 182
 183 /**
 184  *      cleankeys - Apply all available cleaning options on a list of keys.
 185  *      @keys: The list of keys to clean.
 186  *
 187  *      Applies all the cleaning options we can (eg duplicate key ids) to a
 188  *      list of keys. Returns 0 if no changes were made, otherwise the number
 189  *      of keys cleaned.
 190  */
 191 int cleankeys(struct openpgp_publickey *keys)
 192 {
 193         int changed = 0, count;
 194
 195         while (keys != NULL) {
 196                 count = dedupuids(keys);
 197                 count += dedupsubkeys(keys);
 198                 if (config.check_sighash) {
 199                         count += clean_key_sighashes(keys);
 200                 }
 201                 if (count > 0) {
 202                         changed++;
 203                 }
 204                 keys = keys->next;
 205         }
 206
 207         return changed;
 208 }