*/
#include <stdbool.h>
-#include <stdio.h>
#include <stdlib.h>
+#include "build-config.h"
#include "cleankey.h"
+#include "decodekey.h"
#include "keyid.h"
#include "keystructs.h"
#include "log.h"
* hash cannot be checked (eg we don't support that hash type) we err
* on the side of caution and keep it.
*/
-int clean_sighashes(struct openpgp_publickey *key,
+int clean_sighashes(struct onak_dbctx *dbctx,
+ struct openpgp_publickey *key,
struct openpgp_packet *sigdata,
- struct openpgp_packet_list **sigs)
+ struct openpgp_packet_list **sigs,
+ bool fullverify,
+ bool *selfsig, bool *othersig)
{
struct openpgp_packet_list *tmpsig;
+ struct openpgp_publickey *sigkeys = NULL, *curkey;
+ onak_status_t ret;
+ uint8_t hashtype;
+ uint8_t hash[64];
+ uint8_t *sighash;
int removed = 0;
+ uint64_t keyid, sigid;
+ bool remove;
+ get_keyid(key, &keyid);
+ if (selfsig != NULL) {
+ *selfsig = false;
+ }
while (*sigs != NULL) {
- if (check_packet_sighash(key, sigdata, (*sigs)->packet) == 0) {
+ remove = false;
+ ret = calculate_packet_sighash(key, sigdata, (*sigs)->packet,
+ &hashtype, hash, &sighash);
+
+ if (ret == ONAK_E_UNSUPPORTED_FEATURE) {
+ get_keyid(key, &keyid);
+ logthing(LOGTHING_ERROR,
+ "Unsupported signature hash type %d on 0x%016"
+ PRIX64,
+ hashtype,
+ keyid);
+ if (fullverify) {
+ remove = true;
+ }
+ } else if (ret != ONAK_E_OK || (!fullverify &&
+ !(hash[0] == sighash[0] &&
+ hash[1] == sighash[1]))) {
+ remove = true;
+ }
+
+#if HAVE_CRYPTO
+ if (fullverify && !remove) {
+ sig_info((*sigs)->packet, &sigid, NULL);
+
+ /* Start by assuming it's a bad sig */
+
+ remove = true;
+ if (sigid == keyid) {
+ ret = onak_check_hash_sig(key, (*sigs)->packet,
+ hash, hashtype);
+
+ /* We have a valid self signature */
+ if (ret == ONAK_E_OK) {
+ remove = false;
+ if (selfsig != NULL) {
+ *selfsig = true;
+ }
+ }
+ }
+
+ if (remove) {
+ dbctx->fetch_key_id(dbctx, sigid,
+ &sigkeys, false);
+ }
+
+ /*
+ * A 64 bit collision is probably a sign of something
+ * sneaky happening, but if the signature verifies we
+ * should keep it.
+ */
+ for (curkey = sigkeys; curkey != NULL;
+ curkey = curkey->next) {
+
+ ret = onak_check_hash_sig(curkey,
+ (*sigs)->packet,
+ hash, hashtype);
+
+ /* Got a valid signature */
+ if (ret == ONAK_E_OK) {
+ remove = false;
+ if (othersig != NULL) {
+ *othersig = true;
+ }
+ break;
+ }
+ }
+
+ free_publickey(sigkeys);
+ sigkeys = NULL;
+ }
+#endif
+
+ if (remove) {
tmpsig = *sigs;
*sigs = (*sigs)->next;
tmpsig->next = NULL;
return removed;
}
-int clean_list_sighashes(struct openpgp_publickey *key,
- struct openpgp_signedpacket_list *siglist)
+int clean_list_sighashes(struct onak_dbctx *dbctx,
+ struct openpgp_publickey *key,
+ struct openpgp_signedpacket_list **siglist,
+ bool fullverify, bool needother)
{
+ struct openpgp_signedpacket_list **orig, *tmp = NULL;
+ bool selfsig, othersig;
int removed = 0;
- while (siglist != NULL) {
- removed += clean_sighashes(key, siglist->packet,
- &siglist->sigs);
- siglist = siglist->next;
+ othersig = false;
+ orig = siglist;
+ while (siglist != NULL && *siglist != NULL) {
+ selfsig = false;
+
+ removed += clean_sighashes(dbctx, key, (*siglist)->packet,
+ &(*siglist)->sigs, fullverify, &selfsig, &othersig);
+
+ if (fullverify && !selfsig) {
+ /* Remove the UID/subkey if there's no selfsig */
+ tmp = *siglist;
+ *siglist = (*siglist)->next;
+ tmp->next = NULL;
+ free_signedpacket_list(tmp);
+ } else {
+ siglist = &(*siglist)->next;
+ }
+ }
+
+ /*
+ * We need at least one UID to have a signature from another key,
+ * otherwise we remove all of them if needother is set.
+ */
+ if (needother && fullverify && !othersig) {
+ siglist = orig;
+ while (siglist != NULL && *siglist != NULL) {
+ tmp = *siglist;
+ *siglist = (*siglist)->next;
+ tmp->next = NULL;
+ free_signedpacket_list(tmp);
+ }
}
return removed;
}
-int clean_key_sighashes(struct openpgp_publickey *key)
+int clean_key_signatures(struct onak_dbctx *dbctx,
+ struct openpgp_publickey *key, bool fullverify, bool needother)
{
int removed;
- removed = clean_sighashes(key, NULL, &key->sigs);
- removed += clean_list_sighashes(key, key->uids);
- removed += clean_list_sighashes(key, key->subkeys);
+ removed = clean_sighashes(dbctx, key, NULL, &key->sigs, fullverify,
+ NULL, NULL);
+ removed += clean_list_sighashes(dbctx, key, &key->uids, fullverify,
+ needother);
+ removed += clean_list_sighashes(dbctx, key, &key->subkeys, fullverify,
+ false);
return removed;
}
* made, otherwise the number of keys cleaned. Note that some options
* may result in keys being removed entirely from the list.
*/
-int cleankeys(struct openpgp_publickey **keys, uint64_t policies)
+int cleankeys(struct onak_dbctx *dbctx, struct openpgp_publickey **keys,
+ uint64_t policies)
{
struct openpgp_publickey **curkey, *tmp;
+ struct openpgp_fingerprint fp;
int changed = 0, count = 0;
+ bool needother;
if (keys == NULL)
return 0;
while (*curkey != NULL) {
if (policies & ONAK_CLEAN_DROP_V3_KEYS) {
if ((*curkey)->publickey->data[0] < 4) {
- /* Remove the key from the list */
+ /* Remove the key from the list if it's < v4 */
tmp = *curkey;
*curkey = tmp->next;
tmp->next = NULL;
}
count += dedupuids(*curkey);
count += dedupsubkeys(*curkey);
- if (policies & ONAK_CLEAN_CHECK_SIGHASH) {
- count += clean_key_sighashes(*curkey);
+ if (policies & (ONAK_CLEAN_CHECK_SIGHASH |
+ ONAK_CLEAN_VERIFY_SIGNATURES)) {
+
+ needother = policies & ONAK_CLEAN_NEED_OTHER_SIG;
+ if (needother) {
+ /*
+ * Check if we already have the key; if we do
+ * then we can skip the check to make sure we
+ * have signatures from other keys.
+ */
+ get_fingerprint((*curkey)->publickey, &fp);
+ tmp = NULL;
+ needother = dbctx->fetch_key(dbctx, &fp,
+ &tmp, false) == 0;
+ free_publickey(tmp);
+ }
+
+ count += clean_key_signatures(dbctx, *curkey,
+ policies & ONAK_CLEAN_VERIFY_SIGNATURES,
+ needother);
}
if (count > 0) {
changed++;
}
- curkey = &(*curkey)->next;
+ if ((*curkey)->uids == NULL) {
+ /* No valid UIDS so remove the key from the list */
+ tmp = *curkey;
+ *curkey = tmp->next;
+ tmp->next = NULL;
+ free_publickey(tmp);
+ } else {
+ curkey = &(*curkey)->next;
+ }
}
return changed;