diff options
author | Werner Koch <wk@gnupg.org> | 2001-11-13 13:50:14 +0100 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2001-11-13 13:50:14 +0100 |
commit | 90d060c1997c6c0b9f26c9088020d62f91d450da (patch) | |
tree | b2e7720d625699a49729b36286fb66a774c5faed /kbx | |
parent | A Makefile is a pretty useful thing (diff) | |
download | gnupg2-90d060c1997c6c0b9f26c9088020d62f91d450da.tar.xz gnupg2-90d060c1997c6c0b9f26c9088020d62f91d450da.zip |
We have reached a state where we are able to import certs and
check the certification path.
Diffstat (limited to 'kbx')
-rw-r--r-- | kbx/Makefile.am | 8 | ||||
-rw-r--r-- | kbx/kbxutil.c | 3 | ||||
-rw-r--r-- | kbx/keybox-blob.c | 314 | ||||
-rw-r--r-- | kbx/keybox-defs.h | 34 | ||||
-rw-r--r-- | kbx/keybox-dump.c | 94 | ||||
-rw-r--r-- | kbx/keybox-errors.c | 6 | ||||
-rw-r--r-- | kbx/keybox-file.c | 58 | ||||
-rw-r--r-- | kbx/keybox-init.c | 103 | ||||
-rw-r--r-- | kbx/keybox-search-desc.h | 69 | ||||
-rw-r--r-- | kbx/keybox-search.c | 511 | ||||
-rw-r--r-- | kbx/keybox-update.c | 390 | ||||
-rw-r--r-- | kbx/keybox.h | 44 |
12 files changed, 1333 insertions, 301 deletions
diff --git a/kbx/Makefile.am b/kbx/Makefile.am index 81885f3ca..4c783fc1e 100644 --- a/kbx/Makefile.am +++ b/kbx/Makefile.am @@ -27,13 +27,14 @@ noinst_LIBRARIES = libkeybox.a bin_PROGRAMS = kbxutil common_sources = \ - keybox.h \ - keybox-defs.h \ + keybox.h keybox-defs.h keybox-search-desc.h \ keybox-util.c \ keybox-errors.c \ keybox-init.c \ keybox-blob.c \ keybox-file.c \ + keybox-search.c \ + keybox-update.c \ keybox-dump.c @@ -41,7 +42,8 @@ libkeybox_a_SOURCES = $(common_sources) kbxutil_SOURCES = kbxutil.c $(common_sources) kbxutil_LDADD = ../jnlib/libjnlib.a \ - ../../libgcrypt/src/.libs/libgcrypt.so.1 + ../../libksba/src/.libs/libksba.a \ + ../../libgcrypt/src/.libs/libgcrypt.so.1 keybox-errors.c : keybox.h mkerrors $(srcdir)/mkerrors < $(srcdir)/keybox.h > keybox-errors.c diff --git a/kbx/kbxutil.c b/kbx/kbxutil.c index 8c3dee97a..e8b015ba6 100644 --- a/kbx/kbxutil.c +++ b/kbx/kbxutil.c @@ -234,8 +234,9 @@ main( int argc, char **argv ) /*create_dotlock(NULL); register locking cleanup */ i18n_init(); - /* We need to use the gcry malloc function becuase jnlib does use them */ + /* We need to use the gcry malloc function because jnlib does use them */ keybox_set_malloc_hooks (gcry_malloc, gcry_realloc, gcry_free); + ksba_set_malloc_hooks (gcry_malloc, gcry_realloc, gcry_free ); pargs.argc = &argc; diff --git a/kbx/keybox-blob.c b/kbx/keybox-blob.c index 7db62165a..84ebc904c 100644 --- a/kbx/keybox-blob.c +++ b/kbx/keybox-blob.c @@ -39,25 +39,29 @@ The first record of a plain KBX file has a special format: byte pgp_completes ditto. byte pgp_cert_depth ditto. -The OpenPGP KBX Blob looks like this: +The OpenPGP and X.509 blob are verry similiar, things which are +X.509 specific are noted like [X.509: xxx] u32 length of this blob (including these 4 bytes) - byte Blob type (2) + byte Blob type (2) [X509: 3] byte version number of this blob type (1) u16 Blob flags bit 0 = contains secret key material - u32 offset to the OpenPGP keyblock - u32 length of the keyblock - u16 number of keys (at least 1!) + u32 offset to the OpenPGP keyblock or X509 DER encoded certificate + u32 ant its length + u16 number of keys (at least 1!) [X509: always 1] u16 size of additional key information n times: b20 The keys fingerprint (fingerprints are always 20 bytes, MD5 left padded with zeroes) u32 offset to the n-th key's keyID (a keyID is always 8 byte) + or 0 if not known which is the case opnly for X509. u16 special key flags bit 0 = u16 reserved + u16 size of serialnumber(may be zero) + n u16 (see above) bytes of serial number u16 number of user IDs u16 size of additional user ID information n times: @@ -67,6 +71,8 @@ The OpenPGP KBX Blob looks like this: bit 0 = byte validity byte reserved + [For X509, the first user ID is the ISsuer, the second the subject + and the others are subjectAltNames] u16 number of signatures u16 size of signature information (4) u32 expiration time of signature with some special values: @@ -75,8 +81,8 @@ The OpenPGP KBX Blob looks like this: 0x00000002 = bad signature 0x10000000 = valid and expires at some date in 1978. 0xffffffff = valid and does not expire - u8 assigned ownertrust - u8 all_validity + u8 assigned ownertrust [X509: no used] + u8 all_validity [X509: no used] u16 reserved u32 recheck_after u32 Newest timestamp in the keyblock (useful for KS syncronsiation?) @@ -90,7 +96,9 @@ The OpenPGP KBX Blob looks like this: maybe we put a signature here later. - b16 MD5 checksum (useful for KS syncronisation) + b16 MD5 checksum (useful for KS syncronisation), we might also want to use + a mac here. + b4 resevered */ @@ -103,8 +111,17 @@ The OpenPGP KBX Blob looks like this: #include <assert.h> #include <gcrypt.h> +#ifdef KEYBOX_WITH_OPENPGP +/* include stuff to parse the packets */ +#endif +#ifdef KEYBOX_WITH_X509 +#include <ksba.h> +#endif + #include "keybox-defs.h" + + /* special values of the signature status */ #define SF_NONE(a) ( !(a) ) #define SF_NOKEY(a) ((a) & (1<<0)) @@ -125,16 +142,17 @@ struct membuf { /* #endif */ struct keyboxblob_key { - char fpr[20]; - u32 off_kid; - ulong off_kid_addr; - u16 flags; + char fpr[20]; + u32 off_kid; + ulong off_kid_addr; + u16 flags; }; struct keyboxblob_uid { - ulong off_addr; - u32 len; - u16 flags; - byte validity; + ulong off_addr; + char *name; /* used only with x509 */ + u32 len; + u16 flags; + byte validity; }; struct keyid_list { @@ -155,6 +173,8 @@ struct keyboxblob { size_t bloblen; /* stuff used only by keybox_create_blob */ + unsigned char *serial; + size_t seriallen; int nkeys; struct keyboxblob_key *keys; int nuids; @@ -162,9 +182,11 @@ struct keyboxblob { int nsigs; u32 *sigs; struct fixup_list *fixups; + int fixup_out_of_core; struct keyid_list *temp_kids; - struct membuf *buf; /* temporary store for the blob */ + struct membuf bufbuf; /* temporary store for the blob */ + struct membuf *buf; }; @@ -256,6 +278,28 @@ put32 (struct membuf *mb, u32 a ) } +/* Store a value in the fixup list */ +static void +add_fixup (KEYBOXBLOB blob, u32 off, u32 val) +{ + struct fixup_list *fl; + + if (blob->fixup_out_of_core) + return; + + fl = xtrycalloc(1, sizeof *fl); + if (!fl) + blob->fixup_out_of_core = 1; + else + { + fl->off = off; + fl->val = val; + fl->next = blob->fixups; + blob->fixups = fl; + } +} + + /* Some wrappers */ @@ -396,16 +440,7 @@ pgp_create_blob_keyblock (KEYBOXBLOB blob, KBNODE keyblock) int n; u32 kbstart = a->len; - { - struct fixup_list *fl = xtrycalloc(1, sizeof *fl ); - - if (!fl) - return KEYBOX_Out_Of_Core; - fl->off = 8; - fl->val = kbstart; - fl->next = blob->fixups; - blob->fixups = fl; - } + add_fixup (blob, kbstart); for (n = 0, node = keyblock; node; node = node->next) { @@ -420,28 +455,16 @@ pgp_create_blob_keyblock (KEYBOXBLOB blob, KBNODE keyblock) PKT_user_id *u = node->pkt->pkt.user_id; /* build_packet has set the offset of the name into u ; * now we can do the fixup */ - struct fixup_list *fl = xcalloc(1, sizeof *fl ); /* fixme */ - fl->off = blob->uids[n].off_addr; - fl->val = u->stored_at; - fl->next = blob->fixups; - blob->fixups = fl; + add_fixup (blob, blob->uids[n].off_addr, u->stored_at); n++; } } assert (n == blob->nuids); - { - struct fixup_list *fl = xcalloc(1, sizeof *fl ); /* fixme */ - - fl->off = 12; - fl->val = a->len - kbstart; - fl->next = blob->fixups; - blob->fixups = fl; - } - + add_fixup (blob, a->len - kbstart); return 0; } - + #endif /*KEYBOX_WITH_OPENPGP*/ @@ -450,6 +473,27 @@ pgp_create_blob_keyblock (KEYBOXBLOB blob, KBNODE keyblock) X.509 specific stuff */ +/* Write the raw certificate out */ +static int +x509_create_blob_cert (KEYBOXBLOB blob, KsbaCert cert) +{ + struct membuf *a = blob->buf; + const unsigned char *image; + size_t length; + u32 kbstart = a->len; + + /* Store our offset for later fixup */ + add_fixup (blob, 8, kbstart); + + image = ksba_cert_get_image (cert, &length); + if (!image) + return KEYBOX_General_Error; + put_membuf (a, image, length); + + add_fixup (blob, 12, a->len - kbstart); + return 0; +} + #endif /*KEYBOX_WITH_X509*/ /* Write a stored keyID out to the buffer */ @@ -509,6 +553,10 @@ create_blob_header (KEYBOXBLOB blob, int blobtype) put16 ( a, 0 ); /* reserved */ } + put16 (a, blob->seriallen); /*fixme: check that it fits into 16 bits*/ + if (blob->serial) + put_membuf (a, blob->serial+4, blob->seriallen); + put16 ( a, blob->nuids ); put16 ( a, 4 + 4 + 2 + 1 + 1 ); /* size of uid info */ for (i=0; i < blob->nuids; i++) @@ -537,31 +585,42 @@ create_blob_header (KEYBOXBLOB blob, int blobtype) put32 ( a, 0 ); /* size of reserved space */ /* reserved space (which is currently of size 0) */ - /* We need to store the keyids for all pgp v3 keys because those key - IDs are not part of the fingerprint. While we are doing that, we - fixup all the keyID offsets */ - for (i=0; i < blob->nkeys; i++ ) + /* space where we write keyIDs and and other stuff so that the + pointers can actually point to somewhere */ + if (blobtype == BLOBTYPE_PGP) { - struct fixup_list *fl = xtrycalloc(1, sizeof *fl ); - - if (!fl) - return KEYBOX_Out_Of_Core; - - fl->off = blob->keys[i].off_kid_addr; - fl->next = blob->fixups; - blob->fixups = fl; - - if (blob->keys[i].off_kid) - { /* this is a v3 one */ - fl->val = a->len; - write_stored_kid (blob, blob->keys[i].off_kid); - } - else - { /* the better v4 key IDs - just store an offset 8 bytes back */ - fl->val = blob->keys[i].off_kid_addr - 8; - } + /* We need to store the keyids for all pgp v3 keys because those key + IDs are not part of the fingerprint. While we are doing that, we + fixup all the keyID offsets */ + for (i=0; i < blob->nkeys; i++ ) + { + if (blob->keys[i].off_kid) + { /* this is a v3 one */ + add_fixup (blob, blob->keys[i].off_kid_addr, a->len); + write_stored_kid (blob, blob->keys[i].off_kid); + } + else + { /* the better v4 key IDs - just store an offset 8 bytes back */ + add_fixup (blob, blob->keys[i].off_kid_addr, + blob->keys[i].off_kid_addr - 8); + } + } } + if (blobtype == BLOBTYPE_X509) + { + /* We don't want to point to ASN.1 encoded UserIDs (DNs) but to + the utf-8 string represenation of them */ + for (i=0; i < blob->nuids; i++ ) + { + if (blob->uids[i].name) + { /* this is a v3 one */ + add_fixup (blob, blob->uids[i].off_addr, a->len); + put_membuf (blob->buf, blob->uids[i].name, blob->uids[i].len); + } + } + } + return 0; } @@ -585,25 +644,21 @@ create_blob_finish (KEYBOXBLOB blob) /* write a placeholder for the checksum */ for (i = 0; i < 16; i++ ) - put32 (a, 0); + put32 (a, 0); /* Hmmm: why put32() ?? */ /* get the memory area */ - p = a->buf; - n = a->len; + p = get_membuf (a, &n); + if (!p) + return KEYBOX_Out_Of_Core; assert (n >= 20); /* fixup the length */ - { - struct fixup_list *fl = xtrycalloc(1, sizeof *fl); - if (!fl) - return KEYBOX_Out_Of_Core; - fl->off = 0; - fl->val = n; - fl->next = blob->fixups; - blob->fixups = fl; - } + add_fixup (blob, 0, n); /* do the fixups */ + if (blob->fixup_out_of_core) + return KEYBOX_Out_Of_Core; + { struct fixup_list *fl; for (fl = blob->fixups; fl; fl = fl->next) @@ -680,7 +735,8 @@ _keybox_create_pgp_blob (KEYBOXBLOB *r_blob, KBNODE keyblock) if (rc) goto leave; - init_membuf (blob->buf, 1024); + init_membuf (&blob->bufbuf, 1024); + blob->buf = &blob->bufbuf; rc = create_blob_header (blob, BLOBTYPE_OPENPGP); if (rc) goto leave; @@ -711,6 +767,101 @@ _keybox_create_pgp_blob (KEYBOXBLOB *r_blob, KBNODE keyblock) } #endif /*KEYBOX_WITH_OPENPGP*/ +#ifdef KEYBOX_WITH_X509 +/* Note: We should move calculation of the digest into libksba and + remove that parameter */ +int +_keybox_create_x509_blob (KEYBOXBLOB *r_blob, KsbaCert cert, + unsigned char *sha1_digest) +{ + int rc = 0; + KEYBOXBLOB blob; + unsigned char *p; + + *r_blob = NULL; + blob = xtrycalloc (1, sizeof *blob); + if( !blob ) + return KEYBOX_Out_Of_Core; + + p = ksba_cert_get_serial (cert); + if (p) + { + size_t n = (p[0] << 24) | (p[1] << 16) | (p[2] <<8) | p[3]; + blob->seriallen = n; + blob->serial = p; + } + + + blob->nkeys = 1; + blob->nuids = 2; /* issuer and subject - fixme: count alternate names */ + blob->nsigs = 1; + + blob->keys = xtrycalloc (blob->nkeys, sizeof *blob->keys ); + blob->uids = xtrycalloc (blob->nuids, sizeof *blob->uids ); + blob->sigs = xtrycalloc (blob->nsigs, sizeof *blob->sigs ); + if (!blob->keys || !blob->uids || !blob->sigs) + { + rc = KEYBOX_Out_Of_Core; + goto leave; + } + + memcpy (blob->keys[0].fpr, sha1_digest, 20); + blob->keys[0].off_kid = 0; /* We don't have keyids */ + blob->keys[0].flags = 0; + + /* issuer */ + p = ksba_cert_get_issuer (cert); + blob->uids[0].name = p; + blob->uids[0].len = p? (strlen(p)+1):0; + blob->uids[0].flags = 0; + blob->uids[0].validity = 0; + + /* subject */ + p = ksba_cert_get_subject (cert); + blob->uids[1].name = p; + blob->uids[1].len = p? (strlen(p)+1):0; + blob->uids[1].flags = 0; + blob->uids[1].validity = 0; + + /* fixme: add alternate names */ + + /* signatures */ + blob->sigs[0] = 0; /* not yet checked */ + + /* Create a temporary buffer for further processing */ + init_membuf (&blob->bufbuf, 1024); + blob->buf = &blob->bufbuf; + /* write out what we already have */ + rc = create_blob_header (blob, BLOBTYPE_X509); + if (rc) + goto leave; + rc = x509_create_blob_cert (blob, cert); + if (rc) + goto leave; + rc = create_blob_trailer (blob); + if (rc) + goto leave; + rc = create_blob_finish ( blob ); + if (rc) + goto leave; + + + leave: + release_kid_list (blob->temp_kids); + blob->temp_kids = NULL; + if (rc) + { + _keybox_release_blob (blob); + *r_blob = NULL; + } + else + { + *r_blob = blob; + } + return rc; +} +#endif /*KEYBOX_WITH_X509*/ + int @@ -732,11 +883,14 @@ _keybox_new_blob (KEYBOXBLOB *r_blob, char *image, size_t imagelen) void _keybox_release_blob (KEYBOXBLOB blob) { + int i; if (!blob) return; -/* if (blob->buf) */ -/* iobuf_cancel( blob->buf ); */ + /* hmmm: release membuf here?*/ xfree (blob->keys ); + xfree (blob->serial); + for (i=0; i < blob->nuids; i++) + xfree (blob->uids[i].name); xfree (blob->uids ); xfree (blob->sigs ); xfree (blob->blob ); @@ -751,5 +905,3 @@ _keybox_get_blob_image ( KEYBOXBLOB blob, size_t *n ) *n = blob->bloblen; return blob->blob; } - - diff --git a/kbx/keybox-defs.h b/kbx/keybox-defs.h index 2adbdd22f..308c1fff3 100644 --- a/kbx/keybox-defs.h +++ b/kbx/keybox-defs.h @@ -41,6 +41,8 @@ enum { }; +typedef struct keyboxblob *KEYBOXBLOB; + typedef struct keybox_name *KB_NAME; typedef struct keybox_name const * CONST_KB_NAME; @@ -56,16 +58,13 @@ struct keybox_name { struct keybox_handle { - CONST_KB_NAME resource; + CONST_KB_NAME kb; int secret; /* this is for a secret keybox */ + FILE *fp; + int eof; + int error; struct { - CONST_KB_NAME kb; - /*IOBUF iobuf;*/ - int eof; - int error; - } current; - struct { - CONST_KB_NAME kb; + KEYBOXBLOB blob; off_t offset; size_t pk_no; size_t uid_no; @@ -78,17 +77,32 @@ struct keybox_handle { }; -typedef struct keyboxblob *KEYBOXBLOB; - +/* Don't know whether this is needed: */ +/* static struct { */ +/* const char *homedir; */ +/* int dry_run; */ +/* int quiet; */ +/* int verbose; */ +/* int preserve_permissions; */ +/* } keybox_opt; */ /*-- keybox-blob.c --*/ +#ifdef KEYBOX_WITH_OPENPGP + /* fixme */ +#endif /*KEYBOX_WITH_OPENPGP*/ +#ifdef KEYBOX_WITH_X509 +int _keybox_create_x509_blob (KEYBOXBLOB *r_blob, KsbaCert cert, + unsigned char *sha1_digest); +#endif /*KEYBOX_WITH_X509*/ + int _keybox_new_blob (KEYBOXBLOB *r_blob, char *image, size_t imagelen); void _keybox_release_blob (KEYBOXBLOB blob); const char *_keybox_get_blob_image (KEYBOXBLOB blob, size_t *n); /*-- keybox-file.c --*/ int _keybox_read_blob (KEYBOXBLOB *r_blob, FILE *fp); +int _keybox_write_blob (KEYBOXBLOB blob, FILE *fp); /*-- keybox-dump.c --*/ int _keybox_dump_blob (KEYBOXBLOB blob, FILE *fp); diff --git a/kbx/keybox-dump.c b/kbx/keybox-dump.c index 6022900f2..d84ae7349 100644 --- a/kbx/keybox-dump.c +++ b/kbx/keybox-dump.c @@ -46,6 +46,35 @@ get16 (const byte *buffer) return a; } +void +print_string (FILE *fp, const byte *p, size_t n, int delim) +{ + for ( ; n; n--, p++ ) + { + if (*p < 0x20 || (*p >= 0x7f && *p < 0xa0) || *p == delim) + { + putc('\\', fp); + if( *p == '\n' ) + putc('n', fp); + else if( *p == '\r' ) + putc('r', fp); + else if( *p == '\f' ) + putc('f', fp); + else if( *p == '\v' ) + putc('v', fp); + else if( *p == '\b' ) + putc('b', fp); + else if( !*p ) + putc('0', fp); + else + fprintf(fp, "x%02x", *p ); + } + else + putc(*p, fp); + } +} + + static int dump_header_blob (const byte *buffer, size_t length, FILE *fp) { @@ -67,6 +96,7 @@ _keybox_dump_blob (KEYBOXBLOB blob, FILE *fp) ulong nuids, uidinfolen; ulong nsigs, siginfolen; ulong rawdata_off, rawdata_len; + ulong nserial; const byte *p; buffer = _keybox_get_blob_image (blob, &length); @@ -128,19 +158,33 @@ _keybox_dump_blob (KEYBOXBLOB blob, FILE *fp) int i; ulong kidoff, kflags; - fprintf (fp, "Key-%lu-Fpr: ", n ); + fprintf (fp, "Key-Fpr[%lu]: ", n ); for (i=0; i < 20; i++ ) fprintf (fp, "%02X", p[i]); kidoff = get32 (p + 20); - fprintf (fp, "\nKey-%lu-Kid-Off: %lu\n", n, kidoff ); - fprintf (fp, "Key-%lu-Kid: ", n ); + fprintf (fp, "\nKey-Kid-Off[%lu]: %lu\n", n, kidoff ); + fprintf (fp, "Key-Kid[%lu]: ", n ); /* fixme: check bounds */ for (i=0; i < 8; i++ ) fprintf (fp, "%02X", buffer[kidoff+i] ); kflags = get16 (p + 24 ); - fprintf( fp, "\nKey-%lu-Flags: %04lX\n", n, kflags); + fprintf( fp, "\nKey-Flags[%lu]: %04lX\n", n, kflags); } + /* serial number */ + fputs ("Serial-No: ", fp); + nserial = get16 (p); + p += 2; + if (!nserial) + fputs ("none", fp); + else + { + for (; nserial; nserial--, p++) + fprintf (fp, "%02X", *p); + } + putc ('\n', fp); + + /* user IDs */ nuids = get16 (p); fprintf (fp, "Uid-Count: %lu\n", nuids ); uidinfolen = get16 (p + 2); @@ -153,14 +197,42 @@ _keybox_dump_blob (KEYBOXBLOB blob, FILE *fp) uidoff = get32( p ); uidlen = get32( p+4 ); - fprintf (fp, "Uid-%lu-Off: %lu\n", n, uidoff ); - fprintf (fp, "Uid-%lu-Len: %lu\n", n, uidlen ); - fprintf (fp, "Uid-%lu: \"", n ); - /*print_string (fp, buffer+uidoff, uidlen, '\"');*/ + if (type == BLOBTYPE_X509 && !n) + { + fprintf (fp, "Issuer-Off: %lu\n", uidoff ); + fprintf (fp, "Issuer-Len: %lu\n", uidlen ); + fprintf (fp, "Issuer: \""); + } + else if (type == BLOBTYPE_X509 && n == 1) + { + fprintf (fp, "Subject-Off: %lu\n", uidoff ); + fprintf (fp, "Subject-Len: %lu\n", uidlen ); + fprintf (fp, "Subject: \""); + } + else + { + fprintf (fp, "Uid-Off[%lu]: %lu\n", n, uidoff ); + fprintf (fp, "Uid-Len[%lu]: %lu\n", n, uidlen ); + fprintf (fp, "Uid[%lu]: \"", n ); + } + print_string (fp, buffer+uidoff, uidlen, '\"'); fputs ("\"\n", fp); uflags = get16 (p + 8); - fprintf (fp, "Uid-%lu-Flags: %04lX\n", n, uflags ); - fprintf (fp, "Uid-%lu-Validity: %d\n", n, p[10] ); + if (type == BLOBTYPE_X509 && !n) + { + fprintf (fp, "Issuer-Flags: %04lX\n", uflags ); + fprintf (fp, "Issuer-Validity: %d\n", p[10] ); + } + else if (type == BLOBTYPE_X509 && n == 1) + { + fprintf (fp, "Subject-Flags: %04lX\n", uflags ); + fprintf (fp, "Subject-Validity: %d\n", p[10] ); + } + else + { + fprintf (fp, "Uid-Flags[%lu]: %04lX\n", n, uflags ); + fprintf (fp, "Uid-Validity[%lu]: %d\n", n, p[10] ); + } } nsigs = get16 (p); @@ -174,7 +246,7 @@ _keybox_dump_blob (KEYBOXBLOB blob, FILE *fp) ulong sflags; sflags = get32 (p); - fprintf (fp, "Sig-%lu-Expire: ", n ); + fprintf (fp, "Sig-Expire[%lu]: ", n ); if (!sflags) fputs ("[not checked]", fp); else if (sflags == 1 ) diff --git a/kbx/keybox-errors.c b/kbx/keybox-errors.c index bd03cdff3..e75373c0b 100644 --- a/kbx/keybox-errors.c +++ b/kbx/keybox-errors.c @@ -32,6 +32,12 @@ keybox_strerror (KeyboxError err) case KEYBOX_File_Error: s="file error"; break; case KEYBOX_Blob_Too_Short: s="blob too short"; break; case KEYBOX_Blob_Too_Large: s="blob too large"; break; + case KEYBOX_Invalid_Handle: s="invalid handle"; break; + case KEYBOX_File_Create_Error: s="file create error"; break; + case KEYBOX_File_Open_Error: s="file open error"; break; + case KEYBOX_File_Close_Error: s="file close error"; break; + case KEYBOX_Nothing_Found: s="nothing found"; break; + case KEYBOX_Wrong_Blob_Type: s="wrong blob type"; break; default: sprintf (buf, "ec=%d", err ); s=buf; break; } diff --git a/kbx/keybox-file.c b/kbx/keybox-file.c index 66bca504f..715d3fbe2 100644 --- a/kbx/keybox-file.c +++ b/kbx/keybox-file.c @@ -25,7 +25,7 @@ #include "keybox-defs.h" - +/* Read a block at the current postion ant return it in r_blocb. r_blob may be NULL sto simply skip the current block */ int _keybox_read_blob (KEYBOXBLOB *r_blob, FILE *fp) { @@ -58,56 +58,28 @@ _keybox_read_blob (KEYBOXBLOB *r_blob, FILE *fp) image[0] = c1; image[1] = c2; image[2] = c3; image[3] = c4; if (fread (image+4, imagelen-4, 1, fp) != 1) { + xfree (image); return KEYBOX_Read_Error; } - rc = _keybox_new_blob (r_blob, image, imagelen); - if (rc) - xfree (image); + rc = r_blob? _keybox_new_blob (r_blob, image, imagelen) : 0; + if (rc || !r_blob) + xfree (image); return rc; } - - - -void -export_as_kbxfile(void) +/* Write the block to the current file position */ +int +_keybox_write_blob (KEYBOXBLOB blob, FILE *fp) { -#if 0 - KBPOS kbpos; - KBNODE keyblock = NULL; - int rc=0; + const char *image; + size_t length; - rc = enum_keyblocks_begin( &kbpos, 0 ); - if( rc ) { - if( rc != -1 ) - log_error("enum_keyblocks(open) failed: %s\n", gpg_errstr(rc) ); - goto leave; - } - - while( !(rc = enum_keyblocks_next( kbpos, 1, &keyblock )) ) { - KBXBLOB blob; - const char *p; - size_t n; - - merge_keys_and_selfsig( keyblock ); - rc = kbx_create_blob ( &blob, keyblock ); - if( rc ) { - log_error("kbx_create_blob failed: %s\n", gpg_errstr(rc) ); - goto leave; - } - p = kbx_get_blob_image ( blob, &n ); - fwrite( p, n, 1, stdout ); - kbx_release_blob ( blob ); + image = _keybox_get_blob_image (blob, &length); + if (fwrite (image, length, 1, fp) != 1) + { + return KEYBOX_Write_Error; } - - if( rc && rc != -1 ) - log_error("enum_keyblocks(read) failed: %s\n", gpg_errstr(rc)); - - leave: - enum_keyblocks_end( kbpos ); - release_kbnode( keyblock ); -#endif + return 0; } - diff --git a/kbx/keybox-init.c b/kbx/keybox-init.c index a4649d18c..1a4a587b9 100644 --- a/kbx/keybox-init.c +++ b/kbx/keybox-init.c @@ -23,44 +23,47 @@ #include <stdio.h> #include <string.h> #include <unistd.h> +#include <assert.h> #include "keybox-defs.h" +#define compare_filenames strcmp + +static KB_NAME kb_names; + + /* - * Register a filename for plain keybox files. Returns a pointer to - * be used to create a handles etc or NULL to indicate that it has - * already been registered */ + Register a filename for plain keybox files. Returns a pointer to be + used to create a handles etc or NULL to indicate that it has already + been registered */ void * keybox_register_file (const char *fname, int secret) { - return NULL; -#if 0 - KB_NAME kr; + KB_NAME kr; - if (active_handles) - BUG (); /* We don't allow that */ - - for (kr=kb_names; kr; kr = kr->next) { - if ( !compare_filenames (kr->fname, fname) ) - return NULL; /* already registered */ + for (kr=kb_names; kr; kr = kr->next) + { + if ( !compare_filenames (kr->fname, fname) ) + return NULL; /* already registered */ } - kr = m_alloc (sizeof *kr + strlen (fname)); - strcpy (kr->fname, fname); - kr->secret = !!secret; - kr->lockhd = NULL; - kr->is_locked = 0; - kr->did_full_scan = 0; - /* keep a list of all issued pointers */ - kr->next = kb_names; - kb_names = kr; - - /* create the offset table the first time a function here is used */ - if (!kb_offtbl) - kb_offtbl = new_offset_hash_table (); - - return kr; -#endif + kr = xtrymalloc (sizeof *kr + strlen (fname)); + if (!kr) + return NULL; + strcpy (kr->fname, fname); + kr->secret = !!secret; + /* kr->lockhd = NULL;*/ + kr->is_locked = 0; + kr->did_full_scan = 0; + /* keep a list of all issued pointers */ + kr->next = kb_names; + kb_names = kr; + + /* create the offset table the first time a function here is used */ +/* if (!kb_offtbl) */ +/* kb_offtbl = new_offset_hash_table (); */ + + return kr; } int @@ -70,4 +73,48 @@ keybox_is_writable (void *token) return r? !access (r->fname, W_OK) : 0; } + + +/* Create a new handle for the resource associated with TOKEN. SECRET + is just a cross-check. + + The returned handle must be released using keybox_release (). */ +KEYBOX_HANDLE +keybox_new (void *token, int secret) +{ + KEYBOX_HANDLE hd; + KB_NAME resource = token; + + assert (resource && !resource->secret == !secret); + hd = xtrycalloc (1, sizeof *hd); + if (hd) + { + hd->kb = resource; + hd->secret = !!secret; + } + return hd; +} + +void +keybox_release (KEYBOX_HANDLE hd) +{ + if (!hd) + return; + _keybox_release_blob (hd->found.blob); + xfree (hd->word_match.name); + xfree (hd->word_match.pattern); + xfree (hd); +} + + +const char * +keybox_get_resource_name (KEYBOX_HANDLE hd) +{ + if (!hd || !hd->kb) + return NULL; + return hd->kb->fname; +} + + + diff --git a/kbx/keybox-search-desc.h b/kbx/keybox-search-desc.h new file mode 100644 index 000000000..22bcba69b --- /dev/null +++ b/kbx/keybox-search-desc.h @@ -0,0 +1,69 @@ +/* keybox-search-desc.h - Keybox serch description + * Copyright (C) 2001 Free Software Foundation, Inc. + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +/* + This file is a temporary kludge until we can come up with solution + to share this description between keybox and the application + specific keydb +*/ + +#ifndef KEYBOX_SEARCH_DESC_H +#define KEYBOX_SEARCH_DESC_H 1 + +typedef enum { + KEYDB_SEARCH_MODE_NONE, + KEYDB_SEARCH_MODE_EXACT, + KEYDB_SEARCH_MODE_SUBSTR, + KEYDB_SEARCH_MODE_MAIL, + KEYDB_SEARCH_MODE_MAILSUB, + KEYDB_SEARCH_MODE_MAILEND, + KEYDB_SEARCH_MODE_WORDS, + KEYDB_SEARCH_MODE_SHORT_KID, + KEYDB_SEARCH_MODE_LONG_KID, + KEYDB_SEARCH_MODE_FPR16, + KEYDB_SEARCH_MODE_FPR20, + KEYDB_SEARCH_MODE_FPR, + KEYDB_SEARCH_MODE_ISSUER, + KEYDB_SEARCH_MODE_ISSUER_SN, + KEYDB_SEARCH_MODE_FIRST, + KEYDB_SEARCH_MODE_NEXT +} KeydbSearchMode; + +struct keydb_search_desc { + KeydbSearchMode mode; + int (*skipfnc)(void *,void*); /* used to be: void*, u32* */ + void *skipfncvalue; + const unsigned char *sn; /* used only with _MODE_ISSUER_SN */ + union { + const char *name; + char fpr[24]; + /*fixme: u32 kid[2];*/ + } u; +}; + + +struct keydb_search_desc; +typedef struct keydb_search_desc KEYDB_SEARCH_DESC; + +typedef struct keydb_search_desc KEYBOX_SEARCH_DESC; + + + +#endif /*KEYBOX_SEARCH_DESC_H*/ diff --git a/kbx/keybox-search.c b/kbx/keybox-search.c index d2c61ff21..3468a8ecf 100644 --- a/kbx/keybox-search.c +++ b/kbx/keybox-search.c @@ -25,134 +25,417 @@ #include "keybox-defs.h" +static ulong +get32 (const byte *buffer) +{ + ulong a; + a = *buffer << 24; + a |= buffer[1] << 16; + a |= buffer[2] << 8; + a |= buffer[3]; + return a; +} -/**************** - * Check whether the given fingerprint (20 bytes) is in the - * given keyblob. fpr is always 20 bytes. - * Return: 0 = found - * -1 = not found - other = error (fixme: do not always reurn gpgerr_general) - */ -int -keybox_blob_has_fpr ( KEYBOXBLOB blob, const byte *fpr ) +static ulong +get16 (const byte *buffer) +{ + ulong a; + a = *buffer << 8; + a |= buffer[1]; + return a; +} + + + +static int +blob_get_type (KEYBOXBLOB blob) +{ + const unsigned char *buffer; + size_t length; + + buffer = _keybox_get_blob_image (blob, &length); + if (length < 40) + return -1; /* blob too short */ + + return buffer[4]; +} + + +static int +blob_cmp_sn (KEYBOXBLOB blob, const unsigned char *sn) +{ + size_t snlen; + const unsigned char *buffer; + size_t length; + size_t pos, off; + size_t nkeys, keyinfolen; + size_t nserial; + + snlen = (sn[0] << 24) | (sn[1] << 16) | (sn[2] << 8) | sn[3]; + sn += 4; + + buffer = _keybox_get_blob_image (blob, &length); + if (length < 40) + return 0; /* blob too short */ + + /*keys*/ + nkeys = get16 (buffer + 16); + keyinfolen = get16 (buffer + 18 ); + if (keyinfolen < 28) + return 0; /* invalid blob */ + pos = 20 + keyinfolen*nkeys; + if (pos+2 > length) + return 0; /* out of bounds */ + + /*serial*/ + nserial = get16 (buffer+pos); + off = pos + 2; + if (off+nserial > length) + return 0; /* out of bounds */ + + return nserial == snlen && !memcmp (buffer+off, sn, snlen); +} + +static int +blob_cmp_name (KEYBOXBLOB blob, int idx, const char *name, size_t namelen) { - ulong n, nkeys, keyinfolen; - const byte *p, *pend; - byte *buffer = blob->blob; - size_t buflen = blob->bloblen; - - if ( buflen < 40 ) - return GPGERR_GENERAL; /* blob too short */ - n = get32( buffer ); - if ( n > buflen ) - return GPGERR_GENERAL; /* blob larger than announced length */ - buflen = n; /* ignore trailing stuff */ - pend = buffer + n - 1; - - if ( buffer[4] != 2 ) - return GPGERR_GENERAL; /* invalid blob type */ - if ( buffer[5] != 1 ) - return GPGERR_GENERAL; /* invalid blob format version */ - - nkeys = get16( buffer + 16 ); - keyinfolen = get16( buffer + 18 ); - p = buffer + 20; - for(n=0; n < nkeys; n++, p += keyinfolen ) { - if ( p+20 > pend ) - return GPGERR_GENERAL; /* blob shorter than required */ - if (!memcmp ( p, fpr, 20 ) ) - return 0; /* found */ + const unsigned char *buffer; + size_t length; + size_t pos, off, len; + size_t nkeys, keyinfolen; + size_t nuids, uidinfolen; + size_t nserial; + + buffer = _keybox_get_blob_image (blob, &length); + if (length < 40) + return 0; /* blob too short */ + + /*keys*/ + nkeys = get16 (buffer + 16); + keyinfolen = get16 (buffer + 18 ); + if (keyinfolen < 28) + return 0; /* invalid blob */ + pos = 20 + keyinfolen*nkeys; + if (pos+2 > length) + return 0; /* out of bounds */ + + /*serial*/ + nserial = get16 (buffer+pos); + pos += 2 + nserial; + if (pos+4 > length) + return 0; /* out of bounds */ + + /* user ids*/ + nuids = get16 (buffer + pos); pos += 2; + uidinfolen = get16 (buffer + pos); pos += 2; + if (uidinfolen < 12 /* should add a: || nuidinfolen > MAX_UIDINFOLEN */) + return 0; /* invalid blob */ + if (pos + uidinfolen*nuids > length) + return 0; /* out of bounds */ + + if (idx > nuids) + return 0; /* no user ID with that idx */ + pos += idx*uidinfolen; + off = get32 (buffer+pos); + len = get32 (buffer+pos+4); + if (off+len > length) + return 0; /* out of bounds */ + if (len < 2) + return 0; /* empty name or 0 not stored */ + len--; + + return len == namelen && !memcmp (buffer+off, name, len); +} + + + + +/* + The has_foo functions are used as helpers for search +*/ +#if 0 +static int +has_short_kid (KEYBOXBLOB blob, u32 kid) +{ + return 0; +} + +static int +has_long_kid (KEYBOXBLOB blob, u32 *kid) +{ + return 0; +} +#endif + +static int +has_fingerprint (KEYBOXBLOB blob, const unsigned char *fpr) +{ + return 0; +} + + +static int +has_issuer (KEYBOXBLOB blob, const char *name) +{ + size_t namelen; + + return_val_if_fail (name, 0); + + if (blob_get_type (blob) != BLOBTYPE_X509) + return 0; + + namelen = strlen (name); + return blob_cmp_name (blob, 0 /* issuer */, name, namelen); +} + +static int +has_issuer_sn (KEYBOXBLOB blob, const char *name, const unsigned char *sn) +{ + size_t namelen; + + return_val_if_fail (name, 0); + return_val_if_fail (sn, 0); + + if (blob_get_type (blob) != BLOBTYPE_X509) + return 0; + + namelen = strlen (name); + + return (blob_cmp_sn (blob, sn) + && blob_cmp_name (blob, 0 /* issuer */, name, namelen)); +} + + + +/* + + The search API + +*/ + +int +keybox_search_reset (KEYBOX_HANDLE hd) +{ + if (!hd) + return KEYBOX_Invalid_Value; + + if (hd->found.blob) + { + _keybox_release_blob (hd->found.blob); + hd->found.blob = NULL; + } + + if (hd->fp) + { + fclose (hd->fp); + hd->fp = NULL; } - return -1; + hd->error = 0; + hd->eof = 0; + return 0; } -/**************** - * Check whether the given keyID (20 bytes) is in the - * given keyblob. - * Return: 0 = found - * -1 = not found - other = error (fixme: do not always return gpgerr_general) - */ -int -keybox_blob_has_kid ( KEYBOXBLOB blob, const byte *keyidbuf, size_t keyidlen ) +int +keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc) { - ulong n, nkeys, keyinfolen, off; - const byte *p, *pend; - byte *buffer = blob->blob; - size_t buflen = blob->bloblen; - - if ( buflen < 40 ) - return GPGERR_GENERAL; /* blob too short */ - n = get32( buffer ); - if ( n > buflen ) - return GPGERR_GENERAL; /* blob larger than announced length */ - buflen = n; /* ignore trailing stuff */ - pend = buffer + n - 1; - - if ( buffer[4] != 2 ) - return GPGERR_GENERAL; /* invalid blob type */ - if ( buffer[5] != 1 ) - return GPGERR_GENERAL; /* invalid blob format version */ - - nkeys = get16( buffer + 16 ); - keyinfolen = get16( buffer + 18 ); - p = buffer + 20; - for(n=0; n < nkeys; n++, p += keyinfolen ) { - if ( p+24 > pend ) - return GPGERR_GENERAL; /* blob shorter than required */ - off = get32 ( p + 20 ); - if (keyidlen < 8 ) /* actually keyidlen may either be 4 or 8 */ - off +=4; - if ( off+keyidlen > buflen ) - return GPGERR_GENERAL; /* offset out of bounds */ - if ( !memcmp ( buffer+off, keyidbuf, keyidlen ) ) - return 0; /* found */ + int rc; + size_t n; + int need_words, any_skip; + KEYBOXBLOB blob = NULL; + + if (!hd) + return KEYBOX_Invalid_Value; + + /* clear last found result */ + if (hd->found.blob) + { + _keybox_release_blob (hd->found.blob); + hd->found.blob = NULL; + } + + if (hd->error) + return hd->error; /* still in error state */ + if (hd->eof) + return -1; /* still EOF */ + + /* figure out what information we need */ + need_words = any_skip = 0; + for (n=0; n < ndesc; n++) + { + switch (desc[n].mode) + { + case KEYDB_SEARCH_MODE_WORDS: + need_words = 1; + break; + case KEYDB_SEARCH_MODE_FIRST: + /* always restart the search in this mode */ + keybox_search_reset (hd); + break; + default: + break; + } + if (desc[n].skipfnc) + any_skip = 1; + } + + if (!hd->fp) + { + hd->fp = fopen (hd->kb->fname, "rb"); + if (!hd->fp) + return (hd->error = KEYBOX_File_Open_Error); + } + + + for (;;) + { + _keybox_release_blob (blob); blob = NULL; + rc = _keybox_read_blob (&blob, hd->fp); + if (rc) + break; + + for (n=0; n < ndesc; n++) + { + switch (desc[n].mode) + { + case KEYDB_SEARCH_MODE_NONE: + never_reached (); + break; + case KEYDB_SEARCH_MODE_EXACT: + case KEYDB_SEARCH_MODE_SUBSTR: + case KEYDB_SEARCH_MODE_MAIL: + case KEYDB_SEARCH_MODE_MAILSUB: + case KEYDB_SEARCH_MODE_MAILEND: + case KEYDB_SEARCH_MODE_WORDS: + never_reached (); /* not yet implemented */ + break; + case KEYDB_SEARCH_MODE_ISSUER: + if (has_issuer (blob, desc[n].u.name)) + goto found; + break; + case KEYDB_SEARCH_MODE_ISSUER_SN: + if (has_issuer_sn (blob, desc[n].u.name, desc[n].sn)) + goto found; + break; + case KEYDB_SEARCH_MODE_SHORT_KID: +/* if (has_short_kid (blob, desc[n].u.kid[1])) */ +/* goto found; */ + break; + case KEYDB_SEARCH_MODE_LONG_KID: +/* if (has_long_kid (blob, desc[n].u.kid)) */ +/* goto found; */ + break; + case KEYDB_SEARCH_MODE_FPR: + if (has_fingerprint (blob, desc[n].u.fpr)) + goto found; + break; + case KEYDB_SEARCH_MODE_FIRST: + goto found; + break; + case KEYDB_SEARCH_MODE_NEXT: + goto found; + break; + default: + rc = KEYBOX_Invalid_Value; + goto found; + } + } + continue; + found: + for (n=any_skip?0:ndesc; n < ndesc; n++) + { +/* if (desc[n].skipfnc */ +/* && desc[n].skipfnc (desc[n].skipfncvalue, aki)) */ +/* break; */ + } + if (n == ndesc) + break; /* got it */ + } + + if (!rc) + { + hd->found.blob = blob; + } + else if (rc == -1) + { + _keybox_release_blob (blob); + hd->eof = 1; + } + else + { + _keybox_release_blob (blob); + hd->error = rc; } - return -1; + + return rc; } + +/* + Functions to return a certificate or a keyblock. To be used after + a successful search operation. +*/ +#ifdef KEYBOX_WITH_X509 +/* + Return the last found cert. Caller must free it. + */ int -keybox_blob_has_uid ( KEYBOXBLOB blob, - int (*cmp)(const byte *, size_t, void *), void *opaque ) +keybox_get_cert (KEYBOX_HANDLE hd, KsbaCert *r_cert) { - ulong n, nuids, uidinfolen, off, len; - const byte *p, *pend; - byte *buffer = blob->blob; - size_t buflen = blob->bloblen; - - if ( buflen < 40 ) - return GPGERR_GENERAL; /* blob too short */ - n = get32( buffer ); - if ( n > buflen ) - return GPGERR_GENERAL; /* blob larger than announced length */ - buflen = n; /* ignore trailing stuff */ - pend = buffer + n - 1; - - if ( buffer[4] != 2 ) - return GPGERR_GENERAL; /* invalid blob type */ - if ( buffer[5] != 1 ) - return GPGERR_GENERAL; /* invalid blob format version */ - - p = buffer + 20 + get16( buffer + 16 ) * get16( buffer + 18 ); - if ( p+4 > pend ) - return GPGERR_GENERAL; /* blob shorter than required */ - - nuids = get16( p ); p+= 2; - uidinfolen = get16( p ); p+=2; - for(n=0; n < nuids; n++, p += uidinfolen ) { - if ( p+8 > pend ) - return GPGERR_GENERAL; /* blob shorter than required */ - off = get32 ( p ); - len = get32 ( p + 4 ); - if ( off+len > buflen ) - return GPGERR_GENERAL; /* offset out of bounds */ - if ( (*cmp) ( buffer+off, len, opaque ) ) - return 0; /* found */ + const unsigned char *buffer; + size_t length; + size_t cert_off, cert_len; + KsbaReader reader = NULL; + KsbaCert cert = NULL; + int rc; + + if (!hd) + return KEYBOX_Invalid_Value; + if (!hd->found.blob) + return KEYBOX_Nothing_Found; + + if (blob_get_type (hd->found.blob) != BLOBTYPE_X509) + return KEYBOX_Wrong_Blob_Type; + + buffer = _keybox_get_blob_image (hd->found.blob, &length); + if (length < 40) + return KEYBOX_Blob_Too_Short; + cert_off = get32 (buffer+8); + cert_len = get32 (buffer+12); + if (cert_off+cert_len > length) + return KEYBOX_Blob_Too_Short; + + reader = ksba_reader_new (); + if (!reader) + return KEYBOX_Out_Of_Core; + rc = ksba_reader_set_mem (reader, buffer+cert_off, cert_len); + if (rc) + { + ksba_reader_release (reader); + /* fixme: need to map the error codes */ + return KEYBOX_General_Error; } - return -1; -} + cert = ksba_cert_new (); + if (!cert) + { + ksba_reader_release (reader); + return KEYBOX_Out_Of_Core; + } + rc = ksba_cert_read_der (cert, reader); + if (rc) + { + ksba_cert_release (cert); + ksba_reader_release (reader); + /* fixme: need to map the error codes */ + return KEYBOX_General_Error; + } + + *r_cert = cert; + ksba_reader_release (reader); + return 0; +} +#endif /*KEYBOX_WITH_X509*/ diff --git a/kbx/keybox-update.c b/kbx/keybox-update.c new file mode 100644 index 000000000..d49c3d027 --- /dev/null +++ b/kbx/keybox-update.c @@ -0,0 +1,390 @@ +/* keybox-update.c - keybox update operations + * Copyright (C) 2001 Free Software Foundation, Inc. + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +#include <config.h> +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <errno.h> +#include <unistd.h> + +#include "keybox-defs.h" + +#define EXTSEP_S "." + + +static int +create_tmp_file (const char *template, + char **r_bakfname, char **r_tmpfname, FILE **r_fp) +{ + char *bakfname, *tmpfname; + + *r_bakfname = NULL; + *r_tmpfname = NULL; + +# ifdef USE_ONLY_8DOT3 + /* Here is another Windoze bug?: + * you cant rename("pubring.kbx.tmp", "pubring.kbx"); + * but rename("pubring.kbx.tmp", "pubring.aaa"); + * works. So we replace .kbx by .bak or .tmp + */ + if (strlen (template) > 4 + && !strcmp (template+strlen(template)-4, EXTSEP_S "kbx") ) + { + bakfname = xtrymalloc (strlen (template) + 1); + if (!bakfname) + return KEYBOX_Out_Of_Core; + strcpy (bakfname, template); + strcpy (bakfname+strlen(template)-4, EXTSEP_S "bak"); + + tmpfname = xtrymalloc (strlen (template) + 1); + if (!tmpfname) + { + xfree (bakfname); + return KEYBOX_Out_Of_Core; + } + strcpy (tmpfname,template); + strcpy (tmpfname + strlen (template)-4, EXTSEP_S "tmp"); + } + else + { /* file does not end with kbx; hmmm */ + bakfname = xtrymalloc ( strlen (template) + 5); + if (!bakfname) + return KEYBOX_Out_Of_Core; + strcpy (stpcpy (bakfname, template), EXTSEP_S "bak"); + + tmpfname = xtrymalloc ( strlen (template) + 5); + if (!tmpfname) + { + xfree (bakfname); + return KEYBOX_Out_Of_Core; + } + strcpy (stpcpy (tmpfname, template), EXTSEP_S "tmp"); + } +# else /* Posix file names */ + bakfname = xtrymalloc (strlen (template) + 2); + if (!bakfname) + return KEYBOX_Out_Of_Core; + strcpy (stpcpy (bakfname,template),"~"); + + tmpfname = xtrymalloc ( strlen (template) + 5); + if (!tmpfname) + { + xfree (bakfname); + return KEYBOX_Out_Of_Core; + } + strcpy (stpcpy (tmpfname,template), EXTSEP_S "tmp"); +# endif /* Posix filename */ + + *r_fp = fopen (tmpfname, "wb"); + if (!*r_fp) + { + xfree (tmpfname); + xfree (bakfname); + return KEYBOX_File_Create_Error; + } + + *r_bakfname = bakfname; + *r_tmpfname = tmpfname; + return 0; +} + + +static int +rename_tmp_file (const char *bakfname, const char *tmpfname, + const char *fname, int secret ) +{ + int rc=0; + + /* restrict the permissions for secret keyboxs */ +#ifndef HAVE_DOSISH_SYSTEM +/* if (secret && !opt.preserve_permissions) */ +/* { */ +/* if (chmod (tmpfname, S_IRUSR | S_IWUSR) ) */ +/* { */ +/* log_debug ("chmod of `%s' failed: %s\n", */ +/* tmpfname, strerror(errno) ); */ +/* return KEYBOX_Write_File; */ +/* } */ +/* } */ +#endif + + /* fixme: invalidate close caches (not used with stdio)*/ +/* iobuf_ioctl (NULL, 2, 0, (char*)tmpfname ); */ +/* iobuf_ioctl (NULL, 2, 0, (char*)bakfname ); */ +/* iobuf_ioctl (NULL, 2, 0, (char*)fname ); */ + + /* first make a backup file except for secret keyboxs */ + if (!secret) + { +#if defined(HAVE_DOSISH_SYSTEM) || defined(__riscos__) + remove (bakfname); +#endif + if (rename (fname, bakfname) ) + { + return KEYBOX_File_Error; + } + } + + /* then rename the file */ +#if defined(HAVE_DOSISH_SYSTEM) || defined(__riscos__) + remove (fname); +#endif + if (rename (tmpfname, fname) ) + { + rc = KEYBOX_File_Error; + if (secret) + { +/* log_info ("WARNING: 2 files with confidential" */ +/* " information exists.\n"); */ +/* log_info ("%s is the unchanged one\n", fname ); */ +/* log_info ("%s is the new one\n", tmpfname ); */ +/* log_info ("Please fix this possible security flaw\n"); */ + } + return rc; + } + + return 0; +} + + + +/* Perform insert/delete/update operation. + mode 1 = insert + 2 = delete + 3 = update +*/ +static int +blob_filecopy (int mode, const char *fname, KEYBOXBLOB blob, + int secret, off_t start_offset, unsigned int n_packets ) +{ + FILE *fp, *newfp; + int rc=0; + char *bakfname = NULL; + char *tmpfname = NULL; + char buffer[4096]; + int nread, nbytes; + + /* Open the source file. Because we do a rename, we have to check the + permissions of the file */ + if (access (fname, W_OK)) + return KEYBOX_Write_Error; + + fp = fopen (fname, "rb"); + if (mode == 1 && !fp && errno == ENOENT) + { /* insert mode but file does not exist: create a new keybox file */ + newfp = fopen (fname, "wb"); + if (!newfp ) + { + return KEYBOX_File_Create_Error; + } + + rc = _keybox_write_blob (blob, newfp); + if (rc) + { + return rc; + } + if ( fclose (newfp) ) + { + return KEYBOX_File_Create_Error; + } + +/* if (chmod( fname, S_IRUSR | S_IWUSR )) */ +/* { */ +/* log_debug ("%s: chmod failed: %s\n", fname, strerror(errno) ); */ +/* return KEYBOX_File_Error; */ +/* } */ + return 0; /* ready */ + } + + if (!fp) + { + rc = KEYBOX_File_Open_Error; + goto leave; + } + + /* create the new file */ + rc = create_tmp_file (fname, &bakfname, &tmpfname, &newfp); + if (rc) + { + fclose(fp); + goto leave; + } + + /* prepare for insert */ + if (mode == 1) + { + /* copy everything to the new file */ + while ( (nread = fread (buffer, 1, DIM(buffer), fp)) > 0 ) + { + if (fwrite (buffer, nread, 1, newfp) != 1) + { + rc = KEYBOX_Write_Error; + goto leave; + } + } + if (ferror (fp)) + { + rc = KEYBOX_Read_Error; + goto leave; + } + } + + /* prepare for delete or update */ + if ( mode == 2 || mode == 3 ) + { + off_t current = 0; + + /* copy first part to the new file */ + while ( current < start_offset ) + { + nbytes = DIM(buffer); + if (current + nbytes > start_offset) + nbytes = start_offset - current; + nread = fread (buffer, 1, nbytes, fp); + if (!fread) + break; + current += nread; + + if (fwrite (buffer, nread, 1, newfp) != 1) + { + rc = KEYBOX_Write_Error; + goto leave; + } + } + if (ferror (fp)) + { + rc = KEYBOX_Read_Error; + goto leave; + } + + /* skip this blob */ + rc = _keybox_read_blob (NULL, fp); + if (rc) + return rc; + } + + /* Do an insert or update */ + if ( mode == 1 || mode == 3 ) + { + rc = _keybox_write_blob (blob, newfp); + if (rc) + return rc; + } + + /* copy the rest of the packet for an delete or update */ + if (mode == 2 || mode == 3) + { + while ( (nread = fread (buffer, 1, DIM(buffer), fp)) > 0 ) + { + if (fwrite (buffer, nread, 1, newfp) != 1) + { + rc = KEYBOX_Write_Error; + goto leave; + } + } + if (ferror (fp)) + { + rc = KEYBOX_Read_Error; + goto leave; + } + } + + /* close both files */ + if (fclose(fp)) + { + rc = KEYBOX_File_Close_Error; + fclose (newfp); + goto leave; + } + if (fclose(newfp)) + { + rc = KEYBOX_File_Close_Error; + goto leave; + } + + rc = rename_tmp_file (bakfname, tmpfname, fname, secret); + + leave: + xfree(bakfname); + xfree(tmpfname); + return rc; +} + + + + +#ifdef KEYBOX_WITH_X509 +int +keybox_insert_cert (KEYBOX_HANDLE hd, KsbaCert cert, + unsigned char *sha1_digest) +{ + int rc; + const char *fname; + KEYBOXBLOB blob; + + if (!hd) + return KEYBOX_Invalid_Handle; + if (!hd->kb) + return KEYBOX_Invalid_Handle; + fname = hd->kb->fname; + if (!fname) + return KEYBOX_Invalid_Handle; + + /* close this one otherwise we will mess up the position for a next + search. Fixme: it would be better to adjust the position after + the write opertions. */ + if (hd->fp) + { + fclose (hd->fp); + hd->fp = NULL; + } + + rc = _keybox_create_x509_blob (&blob, cert, sha1_digest); + if (!rc) + { + rc = blob_filecopy (1, fname, blob, hd->secret, 0, 0 ); + _keybox_release_blob (blob); + /* if (!rc && !hd->secret && kb_offtbl) */ + /* { */ + /* update_offset_hash_table_from_kb (kb_offtbl, kb, 0); */ + /* } */ + } + return rc; +} + +int +keybox_update_cert (KEYBOX_HANDLE hd, KsbaCert cert, + unsigned char *sha1_digest) +{ + return -1; +} + + +#endif /*KEYBOX_WITH_X509*/ + + +int +keybox_delete (KEYBOX_HANDLE hd) +{ + return -1; +} + + diff --git a/kbx/keybox.h b/kbx/keybox.h index 90088236a..645f1e715 100644 --- a/kbx/keybox.h +++ b/kbx/keybox.h @@ -27,6 +27,8 @@ extern "C" { #endif #endif +#include "keybox-search-desc.h" + #define KEYBOX_WITH_OPENPGP 1 #define KEYBOX_WITH_X509 1 @@ -51,8 +53,13 @@ typedef enum { KEYBOX_Write_Error = 6, KEYBOX_File_Error = 7, KEYBOX_Blob_Too_Short = 8, - KEYBOX_Blob_Too_Large = 9 - + KEYBOX_Blob_Too_Large = 9, + KEYBOX_Invalid_Handle = 10, + KEYBOX_File_Create_Error = 11, + KEYBOX_File_Open_Error = 12, + KEYBOX_File_Close_Error = 13, + KEYBOX_Nothing_Found = 14, + KEYBOX_Wrong_Blob_Type = 15, } KeyboxError; @@ -60,24 +67,41 @@ typedef enum { typedef struct keybox_handle *KEYBOX_HANDLE; - /*-- keybox-init.c --*/ void *keybox_register_file (const char *fname, int secret); int keybox_is_writable (void *token); - -/*-- --*/ - KEYBOX_HANDLE keybox_new (void *token, int secret); void keybox_release (KEYBOX_HANDLE hd); const char *keybox_get_resource_name (KEYBOX_HANDLE hd); -int keybox_lock (KEYBOX_HANDLE hd, int yes); + + +/*-- keybox-search.c --*/ +#ifdef KEYBOX_WITH_X509 +int keybox_get_cert (KEYBOX_HANDLE hd, KsbaCert *ret_cert); +#endif /*KEYBOX_WITH_X509*/ + +int keybox_search_reset (KEYBOX_HANDLE hd); +int keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc); + + +/*-- keybox-update.c --*/ +#ifdef KEYBOX_WITH_X509 +int keybox_insert_cert (KEYBOX_HANDLE hd, KsbaCert cert, + unsigned char *sha1_digest); +int keybox_update_cert (KEYBOX_HANDLE hd, KsbaCert cert, + unsigned char *sha1_digest); +#endif /*KEYBOX_WITH_X509*/ + +int keybox_delete (KEYBOX_HANDLE hd); + + +/*-- --*/ + #if 0 +int keybox_lock (KEYBOX_HANDLE hd, int yes); int keybox_get_keyblock (KEYBOX_HANDLE hd, KBNODE *ret_kb); -int keybox_update_keyblock (KEYBOX_HANDLE hd, KBNODE kb); -int keybox_insert_keyblock (KEYBOX_HANDLE hd, KBNODE kb); int keybox_locate_writable (KEYBOX_HANDLE hd); -int keybox_delete_keyblock (KEYBOX_HANDLE hd); int keybox_search_reset (KEYBOX_HANDLE hd); int keybox_search (KEYBOX_HANDLE hd, KEYDB_SEARCH_DESC *desc, size_t ndesc); int keybox_rebuild_cache (void *); |