X-Git-Url: https://the.earth.li/gitweb/?a=blobdiff_plain;f=sigcheck.c;h=89b3f92970205df3ff70f629ef201f6bb839c705;hb=6565bed3065d1751abf469da1a85884d9ddde759;hp=04f26760b1c3e3dd6fa0a50bd65364fbf1ff4fd1;hpb=f063495a9a479e094216875001e3e006344eebcd;p=onak.git diff --git a/sigcheck.c b/sigcheck.c index 04f2676..89b3f92 100644 --- a/sigcheck.c +++ b/sigcheck.c @@ -36,12 +36,13 @@ #endif #include "sha1x.h" -int check_packet_sighash(struct openpgp_publickey *key, +onak_status_t calculate_packet_sighash(struct openpgp_publickey *key, struct openpgp_packet *packet, - struct openpgp_packet *sig) + struct openpgp_packet *sig, + uint8_t *hashtype, + uint8_t *hash, + uint8_t **sighash) { - uint8_t hashtype; - uint8_t *sighash; size_t siglen, unhashedlen; struct sha1_ctx sha1_context; struct sha1x_ctx sha1x_context; @@ -56,13 +57,15 @@ int check_packet_sighash(struct openpgp_publickey *key, uint8_t keyheader[5]; uint8_t packetheader[5]; uint8_t trailer[10]; - uint8_t hash[64]; uint8_t *hashdata[8]; size_t hashlen[8]; int chunks, i; uint64_t keyid; onak_status_t res; + *hashtype = 0; + *sighash = NULL; + switch (sig->data[0]) { case 2: case 3: @@ -75,7 +78,7 @@ int check_packet_sighash(struct openpgp_publickey *key, hashlen[1] = key->publickey->length; chunks = 2; - hashtype = sig->data[16]; + *hashtype = sig->data[16]; if (packet != NULL) { if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) { @@ -96,7 +99,7 @@ int check_packet_sighash(struct openpgp_publickey *key, hashdata[chunks] = &sig->data[2]; hashlen[chunks] = 5; chunks++; - sighash = &sig->data[17]; + *sighash = &sig->data[17]; break; case 4: keyheader[0] = 0x99; @@ -108,8 +111,6 @@ int check_packet_sighash(struct openpgp_publickey *key, hashlen[1] = key->publickey->length; chunks = 2; - hashtype = sig->data[3]; - /* Check to see if this is an X509 based signature */ if (sig->data[2] == 0 || sig->data[2] == 100) { size_t len; @@ -119,8 +120,7 @@ int check_packet_sighash(struct openpgp_publickey *key, sig->length - 4, &len, &keyid, NULL); if (res != ONAK_E_OK) { - /* If it parses badly, reject it */ - return 0; + return res; } if (keyid == 0 && /* No unhashed data */ @@ -133,15 +133,12 @@ int check_packet_sighash(struct openpgp_publickey *key, sig->data[8 + len] == 0 && sig->data[9 + len] == 1 && sig->data[10 + len] == 1) { - get_keyid(key, &keyid); - logthing(LOGTHING_DEBUG, - "Skipping X509 signature on 0x%016" - PRIX64, - keyid); - return -1; + return ONAK_E_UNSUPPORTED_FEATURE; } } + *hashtype = sig->data[3]; + if (packet != NULL) { if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) { packetheader[0] = 0x99; @@ -172,7 +169,7 @@ int check_packet_sighash(struct openpgp_publickey *key, sig->data[5] + 6;; if (siglen > sig->length) { /* Signature data exceed packet length, bogus */ - return 0; + return ONAK_E_INVALID_PKT; } chunks++; @@ -188,7 +185,7 @@ int check_packet_sighash(struct openpgp_publickey *key, unhashedlen = (sig->data[siglen] << 8) + sig->data[siglen + 1]; - sighash = &sig->data[siglen + unhashedlen + 2]; + *sighash = &sig->data[siglen + unhashedlen + 2]; break; case 5: keyheader[0] = 0x9A; @@ -202,7 +199,7 @@ int check_packet_sighash(struct openpgp_publickey *key, hashlen[1] = key->publickey->length; chunks = 2; - hashtype = sig->data[3]; + *hashtype = sig->data[3]; if (packet != NULL) { if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) { @@ -236,7 +233,7 @@ int check_packet_sighash(struct openpgp_publickey *key, sig->data[5] + 6;; if (siglen > sig->length) { /* Signature data exceed packet length, bogus */ - return 0; + return ONAK_E_INVALID_PKT; } chunks++; @@ -256,37 +253,33 @@ int check_packet_sighash(struct openpgp_publickey *key, unhashedlen = (sig->data[siglen] << 8) + sig->data[siglen + 1]; - sighash = &sig->data[siglen + unhashedlen + 2]; + *sighash = &sig->data[siglen + unhashedlen + 2]; break; default: - get_keyid(key, &keyid); - logthing(LOGTHING_ERROR, - "Unknown signature version %d on 0x%016" PRIX64, - sig->data[0], keyid); - return -1; + return ONAK_E_UNSUPPORTED_FEATURE; } - switch (hashtype) { + switch (*hashtype) { case OPENPGP_HASH_MD5: md5_init(&md5_context); for (i = 0; i < chunks; i++) { md5_update(&md5_context, hashlen[i], hashdata[i]); } - md5_digest(&md5_context, 16, hash); + md5_digest(&md5_context, MD5_DIGEST_SIZE, hash); break; case OPENPGP_HASH_SHA1: sha1_init(&sha1_context); for (i = 0; i < chunks; i++) { sha1_update(&sha1_context, hashlen[i], hashdata[i]); } - sha1_digest(&sha1_context, 20, hash); + sha1_digest(&sha1_context, SHA1_DIGEST_SIZE, hash); break; case OPENPGP_HASH_SHA1X: sha1x_init(&sha1x_context); for (i = 0; i < chunks; i++) { sha1x_update(&sha1x_context, hashlen[i], hashdata[i]); } - sha1x_digest(&sha1x_context, 20, hash); + sha1x_digest(&sha1x_context, SHA1X_DIGEST_SIZE, hash); break; #ifdef HAVE_NETTLE case OPENPGP_HASH_RIPEMD160: @@ -332,18 +325,8 @@ int check_packet_sighash(struct openpgp_publickey *key, break; #endif default: - get_keyid(key, &keyid); - logthing(LOGTHING_ERROR, - "Unsupported signature hash type %d on 0x%016" PRIX64, - hashtype, - keyid); - return -1; + return ONAK_E_UNSUPPORTED_FEATURE; } - logthing(LOGTHING_DEBUG, "Hash type: %d, %d chunks, " - "calculated: %02X%02X / actual: %02X%02X", - hashtype, chunks, - hash[0], hash[1], sighash[0], sighash[1]); - - return (hash[0] == sighash[0] && hash[1] == sighash[1]); + return ONAK_E_OK; }