]> the.earth.li Git - onak.git/blob - cleankey.c
Include statistics for fetching by SKS hash in "keydctl status"
[onak.git] / cleankey.c
1 /*
2  * cleankey.c - Routines to look for common key problems and clean them up.
3  *
4  * Copyright 2004,2012 Jonathan McDowell <noodles@earth.li>
5  *
6  * This program is free software: you can redistribute it and/or modify it
7  * under the terms of the GNU General Public License as published by the Free
8  * Software Foundation; version 2 of the License.
9  *
10  * This program is distributed in the hope that it will be useful, but WITHOUT
11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
13  * more details.
14  *
15  * You should have received a copy of the GNU General Public License along with
16  * this program; if not, write to the Free Software Foundation, Inc., 51
17  * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18  */
19
20 #include <stdbool.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23
24 #include "cleankey.h"
25 #include "keyid.h"
26 #include "keystructs.h"
27 #include "log.h"
28 #include "mem.h"
29 #include "merge.h"
30 #include "onak-conf.h"
31 #include "sigcheck.h"
32
33 /**
34  *      dedupuids - Merge duplicate uids on a key.
35  *      @key: The key to de-dup uids on.
36  *
37  *      This function attempts to merge duplicate IDs on a key. It returns 0
38  *      if the key is unchanged, otherwise the number of dups merged.
39  */
40 int dedupuids(struct openpgp_publickey *key)
41 {
42         struct openpgp_signedpacket_list *curuid = NULL;
43         struct openpgp_signedpacket_list *dup = NULL;
44         struct openpgp_signedpacket_list *tmp = NULL;
45         int                               merged = 0;
46
47         log_assert(key != NULL);
48         curuid = key->uids;
49         while (curuid != NULL) {
50                 dup = find_signed_packet(curuid->next, curuid->packet);
51                 while (dup != NULL) {
52                         logthing(LOGTHING_INFO, "Found duplicate uid: %.*s",
53                                         curuid->packet->length,
54                                         curuid->packet->data);
55                         merged++;
56                         merge_packet_sigs(curuid, dup);
57                         /*
58                          * Remove the duplicate uid.
59                          */
60                         tmp = curuid;
61                         while (tmp != NULL && tmp->next != dup) {
62                                 tmp = tmp->next;
63                         }
64                         log_assert(tmp != NULL);
65                         tmp->next = dup->next;
66                         dup->next = NULL;
67                         free_signedpacket_list(dup);
68
69                         dup = find_signed_packet(curuid->next, curuid->packet);
70                 }
71                 curuid = curuid->next;
72         }
73
74         return merged;
75 }
76
77 /**
78  *      dedupsubkeys - Merge duplicate subkeys on a key.
79  *      @key: The key to de-dup subkeys on.
80  *
81  *      This function attempts to merge duplicate subkeys on a key. It returns
82  *      0 if the key is unchanged, otherwise the number of dups merged.
83  */
84 int dedupsubkeys(struct openpgp_publickey *key)
85 {
86         struct openpgp_signedpacket_list *cursubkey = NULL;
87         struct openpgp_signedpacket_list *dup = NULL;
88         struct openpgp_signedpacket_list *tmp = NULL;
89         int                               merged = 0;
90         uint64_t                          subkeyid;
91
92         log_assert(key != NULL);
93         cursubkey = key->subkeys;
94         while (cursubkey != NULL) {
95                 dup = find_signed_packet(cursubkey->next, cursubkey->packet);
96                 while (dup != NULL) {
97                         get_packetid(cursubkey->packet, &subkeyid);
98                         logthing(LOGTHING_INFO,
99                                 "Found duplicate subkey: 0x%016" PRIX64,
100                                 subkeyid);
101                         merged++;
102                         merge_packet_sigs(cursubkey, dup);
103                         /*
104                          * Remove the duplicate uid.
105                          */
106                         tmp = cursubkey;
107                         while (tmp != NULL && tmp->next != dup) {
108                                 tmp = tmp->next;
109                         }
110                         log_assert(tmp != NULL);
111                         tmp->next = dup->next;
112                         dup->next = NULL;
113                         free_signedpacket_list(dup);
114
115                         dup = find_signed_packet(cursubkey->next,
116                                 cursubkey->packet);
117                 }
118                 cursubkey = cursubkey->next;
119         }
120
121         return merged;
122 }
123
124 /**
125  *      check_sighashes - Check that sig hashes are correct.
126  *      @key - the check to check the sig hashes of.
127  *
128  *      Given an OpenPGP key confirm that all of the sigs on it have the
129  *      appropriate 2 octet hash beginning, as stored as part of the sig.
130  *      This is a simple way to remove junk sigs and, for example, catches
131  *      subkey sig corruption as produced by old pksd implementations.
132  *      Any sig that has an incorrect hash is removed from the key. If the
133  *      hash cannot be checked (eg we don't support that hash type) we err
134  *      on the side of caution and keep it.
135  */
136 int clean_sighashes(struct openpgp_publickey *key,
137                 struct openpgp_packet *sigdata,
138                 struct openpgp_packet_list **sigs)
139 {
140         struct openpgp_packet_list *tmpsig;
141         int removed = 0;
142
143         while (*sigs != NULL) {
144                 if (check_packet_sighash(key, sigdata, (*sigs)->packet) == 0) {
145                         tmpsig = *sigs;
146                         *sigs = (*sigs)->next;
147                         tmpsig->next = NULL;
148                         free_packet_list(tmpsig);
149                         removed++;
150                 } else {
151                         sigs = &(*sigs)->next;
152                 }
153         }
154
155         return removed;
156 }
157
158 int clean_list_sighashes(struct openpgp_publickey *key,
159                         struct openpgp_signedpacket_list *siglist)
160 {
161         int removed = 0;
162
163         while (siglist != NULL) {
164                 removed += clean_sighashes(key, siglist->packet,
165                         &siglist->sigs);
166                 siglist = siglist->next;
167         }
168
169         return removed;
170 }
171
172 int clean_key_sighashes(struct openpgp_publickey *key)
173 {
174         int removed;
175
176         removed = clean_sighashes(key, NULL, &key->sigs);
177         removed += clean_list_sighashes(key, key->uids);
178         removed += clean_list_sighashes(key, key->subkeys);
179
180         return removed;
181 }
182
183 /**
184  *      cleankeys - Apply all available cleaning options on a list of keys.
185  *      @keys: The list of keys to clean.
186  *
187  *      Applies all the cleaning options we can (eg duplicate key ids) to a
188  *      list of keys. Returns 0 if no changes were made, otherwise the number
189  *      of keys cleaned.
190  */
191 int cleankeys(struct openpgp_publickey *keys)
192 {
193         int changed = 0, count;
194
195         while (keys != NULL) {
196                 count = dedupuids(keys);
197                 count += dedupsubkeys(keys);
198                 if (config.check_sighash) {
199                         count += clean_key_sighashes(keys);
200                 }
201                 if (count > 0) {
202                         changed++;
203                 }
204                 keys = keys->next;
205         }
206
207         return changed;
208 }