X-Git-Url: https://the.earth.li/gitweb/?a=blobdiff_plain;f=cleankey.c;h=55e3161d0d87bb35ebb7d6be2826c919a6571fff;hb=8ee9a59daf7a1ab1bf4ad8f4d2bcb88282db58a8;hp=5608ef04926213893794f83756c20b7ad7b9c4e0;hpb=e17ef1fac72bcfeff58e7c88af18eea6f9d6bc85;p=onak.git

diff --git a/cleankey.c b/cleankey.c
index 5608ef0..55e3161 100644
--- a/cleankey.c
+++ b/cleankey.c
@@ -13,8 +13,7 @@
  * more details.
  *
  * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 51
- * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
 #include <stdbool.h>
@@ -27,7 +26,7 @@
 #include "log.h"
 #include "mem.h"
 #include "merge.h"
-#include "onak-conf.h"
+#include "openpgp.h"
 #include "sigcheck.h"
 
 /**
@@ -138,10 +137,28 @@ int clean_sighashes(struct openpgp_publickey *key,
 		struct openpgp_packet_list **sigs)
 {
 	struct openpgp_packet_list *tmpsig;
+	onak_status_t ret;
+	uint8_t hashtype;
+	uint8_t hash[64];
+	uint8_t *sighash;
 	int removed = 0;
+	uint64_t keyid;
 
 	while (*sigs != NULL) {
-		if (check_packet_sighash(key, sigdata, (*sigs)->packet) == 0) {
+		ret = calculate_packet_sighash(key, sigdata, (*sigs)->packet,
+				&hashtype, hash, &sighash);
+
+		if (ret == ONAK_E_UNSUPPORTED_FEATURE) {
+			get_keyid(key, &keyid);
+			logthing(LOGTHING_ERROR,
+				"Unsupported signature hash type %d on 0x%016"
+				PRIX64,
+				hashtype,
+				keyid);
+			sigs = &(*sigs)->next;
+		} else if (ret != ONAK_E_OK ||
+				!(hash[0] == sighash[0] &&
+					hash[1] == sighash[1])) {
 			tmpsig = *sigs;
 			*sigs = (*sigs)->next;
 			tmpsig->next = NULL;
@@ -180,28 +197,98 @@ int clean_key_sighashes(struct openpgp_publickey *key)
 	return removed;
 }
 
+#define UAT_LIMIT	0xFFFF
+#define UID_LIMIT	1024
+#define PACKET_LIMIT	8383		/* Fits in 2 byte packet length */
+int clean_large_packets(struct openpgp_publickey *key)
+{
+	struct openpgp_signedpacket_list **curuid = NULL;
+	struct openpgp_signedpacket_list *tmp = NULL;
+	bool                              drop;
+	int                               dropped = 0;
+
+	log_assert(key != NULL);
+	curuid = &key->uids;
+	while (*curuid != NULL) {
+		drop = false;
+		switch ((*curuid)->packet->tag) {
+		case OPENPGP_PACKET_UID:
+			if ((*curuid)->packet->length > UID_LIMIT)
+				drop = true;
+			break;
+		case OPENPGP_PACKET_UAT:
+			if ((*curuid)->packet->length > UAT_LIMIT)
+				drop = true;
+			break;
+		default:
+			if ((*curuid)->packet->length > PACKET_LIMIT)
+				drop = true;
+			break;
+		}
+
+		if (drop) {
+			logthing(LOGTHING_INFO,
+					"Dropping large (%d) packet, type %d",
+					(*curuid)->packet->length,
+					(*curuid)->packet->tag);
+			/* Remove the entire large signed packet list */
+			tmp = *curuid;
+			*curuid = (*curuid)->next;
+			tmp->next = NULL;
+			free_signedpacket_list(tmp);
+			dropped++;
+		} else {
+			curuid = &(*curuid)->next;
+		}
+	}
+
+	return dropped;
+}
+
 /**
  *	cleankeys - Apply all available cleaning options on a list of keys.
- *	@keys: The list of keys to clean.
+ *	@policies: The cleaning policies to apply.
  *
- *	Applies all the cleaning options we can (eg duplicate key ids) to a
- *	list of keys. Returns 0 if no changes were made, otherwise the number
- *	of keys cleaned.
+ *	Applies the requested cleaning policies to a list of keys. These are
+ *	specified from the ONAK_CLEAN_* set of flags, or ONAK_CLEAN_ALL to
+ *	apply all available cleaning options. Returns 0 if no changes were
+ *	made, otherwise the number of keys cleaned. Note that some options
+ *	may result in keys being removed entirely from the list.
  */
-int cleankeys(struct openpgp_publickey *keys)
+int cleankeys(struct onak_dbctx *dbctx, struct openpgp_publickey **keys,
+		uint64_t policies)
 {
-	int changed = 0, count;
+	struct openpgp_publickey **curkey, *tmp;
+	int changed = 0, count = 0;
 
-	while (keys != NULL) {
-		count = dedupuids(keys);
-		count += dedupsubkeys(keys);
-		if (config.check_sighash) {
-			count += clean_key_sighashes(keys);
+	if (keys == NULL)
+		return 0;
+
+	curkey = keys;
+	while (*curkey != NULL) {
+		if (policies & ONAK_CLEAN_DROP_V3_KEYS) {
+			if ((*curkey)->publickey->data[0] < 4) {
+				/* Remove the key from the list */
+				tmp = *curkey;
+				*curkey = tmp->next;
+				tmp->next = NULL;
+				free_publickey(tmp);
+				changed++;
+				continue;
+			}
+		}
+		if (policies & ONAK_CLEAN_LARGE_PACKETS) {
+			count += clean_large_packets(*curkey);
+		}
+		count += dedupuids(*curkey);
+		count += dedupsubkeys(*curkey);
+		if (policies & ONAK_CLEAN_CHECK_SIGHASH) {
+			count += clean_key_sighashes(*curkey);
 		}
 		if (count > 0) {
 			changed++;
 		}
-		keys = keys->next;
+		curkey = &(*curkey)->next;
 	}
 
 	return changed;