mirror of
git://git.gnupg.org/gnupg.git
synced 2025-07-02 22:46:30 +02:00
Sicherung
This commit is contained in:
parent
ef75fa1802
commit
1ece02aa54
33 changed files with 704 additions and 766 deletions
|
@ -1,3 +1,8 @@
|
|||
Mon Jun 8 22:23:37 1998 Werner Koch (wk@isil.d.shuttle.de)
|
||||
|
||||
* seckey-cert.c (do_check): Removed cipher constants
|
||||
(protect_secret_key): Ditto.
|
||||
|
||||
Fri May 29 10:00:28 1998 Werner Koch (wk@isil.d.shuttle.de)
|
||||
|
||||
* trustdb.c (query_trust_info): New.
|
||||
|
|
|
@ -64,8 +64,6 @@ target_triplet = @target@
|
|||
CATALOGS = @CATALOGS@
|
||||
CATOBJEXT = @CATOBJEXT@
|
||||
CC = @CC@
|
||||
CIPHER_EXTRA_DIST = @CIPHER_EXTRA_DIST@
|
||||
CIPHER_EXTRA_OBJS = @CIPHER_EXTRA_OBJS@
|
||||
CPP = @CPP@
|
||||
DATADIRNAME = @DATADIRNAME@
|
||||
G10_LOCALEDIR = @G10_LOCALEDIR@
|
||||
|
|
|
@ -575,6 +575,7 @@ build_sig_subpkt( PKT_signature *sig, sigsubpkttype_t type,
|
|||
|
||||
switch( type ) {
|
||||
case SIGSUBPKT_SIG_CREATED:
|
||||
case SIGSUBPKT_PRIV_ADD_SIG:
|
||||
hashed = 1; break;
|
||||
default: hashed = 0; break;
|
||||
}
|
||||
|
|
|
@ -319,6 +319,7 @@ list_one( const char *name, int secret )
|
|||
if( opt.with_colons )
|
||||
printf(":%02x:", sig->sig_class );
|
||||
putchar('\n');
|
||||
/* FIXME: check or list other sigs here (subpkt PRIV_ADD_SIG)*/
|
||||
}
|
||||
}
|
||||
if( !any ) {/* oops, no user id */
|
||||
|
|
|
@ -234,7 +234,8 @@ typedef enum {
|
|||
SIGSUBPKT_PRIMARY_UID =25, /* primary user id */
|
||||
SIGSUBPKT_POLICY =26, /* policy URL */
|
||||
SIGSUBPKT_KEY_FLAGS =27, /* key flags */
|
||||
SIGSUBPKT_SIGNERS_UID =28 /* signer's user id */
|
||||
SIGSUBPKT_SIGNERS_UID =28, /* signer's user id */
|
||||
SIGSUBPKT_PRIV_ADD_SIG =101 /* signatur is also valid for this uid */
|
||||
} sigsubpkttype_t;
|
||||
|
||||
|
||||
|
|
|
@ -615,6 +615,7 @@ parse_sig_subpkt( const byte *buffer, sigsubpkttype_t reqtype, size_t *ret_n )
|
|||
: type == SIGSUBPKT_POLICY ? "policy URL"
|
||||
: type == SIGSUBPKT_KEY_FLAGS ? "key flags"
|
||||
: type == SIGSUBPKT_SIGNERS_UID ? "signer's user id"
|
||||
: type == SIGSUBPKT_PRIV_ADD_SIG? "signs additional user id"
|
||||
: "?");
|
||||
}
|
||||
else if( type == reqtype )
|
||||
|
@ -636,6 +637,13 @@ parse_sig_subpkt( const byte *buffer, sigsubpkttype_t reqtype, size_t *ret_n )
|
|||
if( n < 8 )
|
||||
break;
|
||||
return buffer;
|
||||
case SIGSUBPKT_PRIV_ADD_SIG:
|
||||
/* because we use private data, we check the GNUPG marker */
|
||||
if( n < 24 )
|
||||
break;
|
||||
if( buffer[0] != 'G' || buffer[1] != 'P' || buffer[2] != 'G' )
|
||||
return NULL;
|
||||
return buffer+3;
|
||||
default: BUG(); /* not yet needed */
|
||||
}
|
||||
log_error("subpacket of type %d too short\n", type);
|
||||
|
|
|
@ -127,7 +127,7 @@ get_session_key( PKT_pubkey_enc *k, DEK *dek )
|
|||
{ rc = G10ERR_WRONG_SECKEY; goto leave; }
|
||||
break;
|
||||
case CIPHER_ALGO_BLOWFISH:
|
||||
case CIPHER_ALGO_CAST:
|
||||
case CIPHER_ALGO_CAST5:
|
||||
if( dek->keylen != 16 )
|
||||
{ rc = G10ERR_WRONG_SECKEY; goto leave; }
|
||||
break;
|
||||
|
|
|
@ -49,112 +49,106 @@ do_check( PKT_secret_cert *cert )
|
|||
PKT_secret_cert *save_cert;
|
||||
char save_iv[8];
|
||||
|
||||
switch( cert->protect.algo ) {
|
||||
case CIPHER_ALGO_NONE: BUG(); break;
|
||||
case CIPHER_ALGO_BLOWFISH160:
|
||||
case CIPHER_ALGO_BLOWFISH:
|
||||
case CIPHER_ALGO_CAST:
|
||||
keyid_from_skc( cert, keyid );
|
||||
dek = passphrase_to_dek( keyid, cert->protect.algo,
|
||||
&cert->protect.s2k, 0 );
|
||||
cipher_hd = cipher_open( cert->protect.algo,
|
||||
CIPHER_MODE_AUTO_CFB, 1);
|
||||
cipher_setkey( cipher_hd, dek->key, dek->keylen );
|
||||
cipher_setiv( cipher_hd, NULL );
|
||||
m_free(dek); /* pw is in secure memory, so m_free() burns it */
|
||||
save_cert = copy_secret_cert( NULL, cert );
|
||||
memcpy(save_iv, cert->protect.iv, 8 );
|
||||
cipher_decrypt( cipher_hd, cert->protect.iv, cert->protect.iv, 8 );
|
||||
switch( cert->pubkey_algo ) {
|
||||
case PUBKEY_ALGO_ELGAMAL:
|
||||
case PUBKEY_ALGO_ELGAMAL_E:
|
||||
buffer = mpi_get_secure_buffer( cert->d.elg.x, &nbytes, NULL );
|
||||
cipher_decrypt( cipher_hd, buffer, buffer, nbytes );
|
||||
mpi_set_buffer( cert->d.elg.x, buffer, nbytes, 0 );
|
||||
csum = checksum_mpi( cert->d.elg.x );
|
||||
m_free( buffer );
|
||||
break;
|
||||
case PUBKEY_ALGO_DSA:
|
||||
buffer = mpi_get_secure_buffer( cert->d.dsa.x, &nbytes, NULL );
|
||||
cipher_decrypt( cipher_hd, buffer, buffer, nbytes );
|
||||
mpi_set_buffer( cert->d.dsa.x, buffer, nbytes, 0 );
|
||||
csum = checksum_mpi( cert->d.dsa.x );
|
||||
m_free( buffer );
|
||||
break;
|
||||
#ifdef HAVE_RSA_CIPHER
|
||||
case PUBKEY_ALGO_RSA:
|
||||
case PUBKEY_ALGO_RSA_E:
|
||||
case PUBKEY_ALGO_RSA_S:
|
||||
csum = 0;
|
||||
#define X(a) do { \
|
||||
buffer = mpi_get_secure_buffer( cert->d.rsa.##a, \
|
||||
&nbytes, NULL ); \
|
||||
csum += checksum_u16( nbytes*8 ); \
|
||||
cipher_decrypt( cipher_hd, buffer, buffer, nbytes ); \
|
||||
csum += checksum( buffer, nbytes ); \
|
||||
mpi_set_buffer(cert->d.rsa.##a, buffer, nbytes, 0 ); \
|
||||
m_free( buffer ); \
|
||||
} while(0)
|
||||
X(d);
|
||||
X(p);
|
||||
X(q);
|
||||
X(u);
|
||||
#undef X
|
||||
break;
|
||||
#endif /* HAVE_RSA_CIPHER */
|
||||
if( cert->protect.algo == CIPHER_ALGO_NONE )
|
||||
BUG();
|
||||
if( check_cipher_algo( cert->protect.algo ) )
|
||||
return G10ERR_CIPHER_ALGO; /* unsupported protection algorithm */
|
||||
keyid_from_skc( cert, keyid );
|
||||
dek = passphrase_to_dek( keyid, cert->protect.algo,
|
||||
&cert->protect.s2k, 0 );
|
||||
cipher_hd = cipher_open( cert->protect.algo,
|
||||
CIPHER_MODE_AUTO_CFB, 1);
|
||||
cipher_setkey( cipher_hd, dek->key, dek->keylen );
|
||||
cipher_setiv( cipher_hd, NULL );
|
||||
m_free(dek); /* pw is in secure memory, so m_free() burns it */
|
||||
save_cert = copy_secret_cert( NULL, cert );
|
||||
memcpy(save_iv, cert->protect.iv, 8 );
|
||||
cipher_decrypt( cipher_hd, cert->protect.iv, cert->protect.iv, 8 );
|
||||
switch( cert->pubkey_algo ) {
|
||||
case PUBKEY_ALGO_ELGAMAL:
|
||||
case PUBKEY_ALGO_ELGAMAL_E:
|
||||
buffer = mpi_get_secure_buffer( cert->d.elg.x, &nbytes, NULL );
|
||||
cipher_decrypt( cipher_hd, buffer, buffer, nbytes );
|
||||
mpi_set_buffer( cert->d.elg.x, buffer, nbytes, 0 );
|
||||
csum = checksum_mpi( cert->d.elg.x );
|
||||
m_free( buffer );
|
||||
break;
|
||||
case PUBKEY_ALGO_DSA:
|
||||
buffer = mpi_get_secure_buffer( cert->d.dsa.x, &nbytes, NULL );
|
||||
cipher_decrypt( cipher_hd, buffer, buffer, nbytes );
|
||||
mpi_set_buffer( cert->d.dsa.x, buffer, nbytes, 0 );
|
||||
csum = checksum_mpi( cert->d.dsa.x );
|
||||
m_free( buffer );
|
||||
break;
|
||||
#ifdef HAVE_RSA_CIPHER
|
||||
case PUBKEY_ALGO_RSA:
|
||||
case PUBKEY_ALGO_RSA_E:
|
||||
case PUBKEY_ALGO_RSA_S:
|
||||
csum = 0;
|
||||
#define X(a) do { \
|
||||
buffer = mpi_get_secure_buffer( cert->d.rsa.##a, \
|
||||
&nbytes, NULL ); \
|
||||
csum += checksum_u16( nbytes*8 ); \
|
||||
cipher_decrypt( cipher_hd, buffer, buffer, nbytes ); \
|
||||
csum += checksum( buffer, nbytes ); \
|
||||
mpi_set_buffer(cert->d.rsa.##a, buffer, nbytes, 0 ); \
|
||||
m_free( buffer ); \
|
||||
} while(0)
|
||||
X(d);
|
||||
X(p);
|
||||
X(q);
|
||||
X(u);
|
||||
#undef X
|
||||
break;
|
||||
#endif /* HAVE_RSA_CIPHER */
|
||||
|
||||
default: BUG();
|
||||
default: BUG();
|
||||
}
|
||||
cipher_close( cipher_hd );
|
||||
/* now let's see whether we have used the right passphrase */
|
||||
if( csum != cert->csum ) {
|
||||
if( cert->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E ) {
|
||||
/* very bad kludge to work around an early bug */
|
||||
csum -= checksum_u16( mpi_get_nbits(cert->d.elg.x) );
|
||||
nbytes = mpi_get_nlimbs(cert->d.elg.x) * 4;
|
||||
csum += checksum_u16( nbytes*8 );
|
||||
if( !opt.batch && csum == cert->csum )
|
||||
log_info("Probably you have an old key - use "
|
||||
"\"--change-passphrase\" to convert.\n");
|
||||
}
|
||||
cipher_close( cipher_hd );
|
||||
/* now let's see whether we have used the right passphrase */
|
||||
if( csum != cert->csum ) {
|
||||
if( cert->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E ) {
|
||||
/* very bad kludge to work around an early bug */
|
||||
csum -= checksum_u16( mpi_get_nbits(cert->d.elg.x) );
|
||||
nbytes = mpi_get_nlimbs(cert->d.elg.x) * 4;
|
||||
csum += checksum_u16( nbytes*8 );
|
||||
if( !opt.batch && csum == cert->csum )
|
||||
log_info("Probably you have an old key - use "
|
||||
"\"--change-passphrase\" to convert.\n");
|
||||
}
|
||||
if( csum != cert->csum ) {
|
||||
copy_secret_cert( cert, save_cert );
|
||||
free_secret_cert( save_cert );
|
||||
memcpy( cert->protect.iv, save_iv, 8 );
|
||||
return G10ERR_BAD_PASS;
|
||||
}
|
||||
}
|
||||
|
||||
switch( cert->pubkey_algo ) {
|
||||
case PUBKEY_ALGO_ELGAMAL_E:
|
||||
case PUBKEY_ALGO_ELGAMAL:
|
||||
res = elg_check_secret_key( &cert->d.elg );
|
||||
break;
|
||||
case PUBKEY_ALGO_DSA:
|
||||
res = dsa_check_secret_key( &cert->d.dsa );
|
||||
break;
|
||||
#ifdef HAVE_RSA_CIPHER
|
||||
case PUBKEY_ALGO_RSA:
|
||||
case PUBKEY_ALGO_RSA_E:
|
||||
case PUBKEY_ALGO_RSA_S:
|
||||
res = rsa_check_secret_key( &cert->d.rsa );
|
||||
break;
|
||||
#endif
|
||||
default: BUG();
|
||||
}
|
||||
if( !res ) {
|
||||
copy_secret_cert( cert, save_cert );
|
||||
free_secret_cert( save_cert );
|
||||
memcpy( cert->protect.iv, save_iv, 8 );
|
||||
return G10ERR_BAD_PASS;
|
||||
}
|
||||
free_secret_cert( save_cert );
|
||||
cert->is_protected = 0;
|
||||
break;
|
||||
|
||||
default:
|
||||
return G10ERR_CIPHER_ALGO; /* unsupported protection algorithm */
|
||||
}
|
||||
|
||||
switch( cert->pubkey_algo ) {
|
||||
case PUBKEY_ALGO_ELGAMAL_E:
|
||||
case PUBKEY_ALGO_ELGAMAL:
|
||||
res = elg_check_secret_key( &cert->d.elg );
|
||||
break;
|
||||
case PUBKEY_ALGO_DSA:
|
||||
res = dsa_check_secret_key( &cert->d.dsa );
|
||||
break;
|
||||
#ifdef HAVE_RSA_CIPHER
|
||||
case PUBKEY_ALGO_RSA:
|
||||
case PUBKEY_ALGO_RSA_E:
|
||||
case PUBKEY_ALGO_RSA_S:
|
||||
res = rsa_check_secret_key( &cert->d.rsa );
|
||||
break;
|
||||
#endif
|
||||
default: BUG();
|
||||
}
|
||||
if( !res ) {
|
||||
copy_secret_cert( cert, save_cert );
|
||||
free_secret_cert( save_cert );
|
||||
memcpy( cert->protect.iv, save_iv, 8 );
|
||||
return G10ERR_BAD_PASS;
|
||||
}
|
||||
free_secret_cert( save_cert );
|
||||
cert->is_protected = 0;
|
||||
}
|
||||
else { /* not protected */
|
||||
switch( cert->pubkey_algo ) {
|
||||
|
@ -320,11 +314,9 @@ protect_secret_key( PKT_secret_cert *cert, DEK *dek )
|
|||
if( !cert->is_protected ) { /* okay, apply the protection */
|
||||
CIPHER_HANDLE cipher_hd=NULL;
|
||||
|
||||
switch( cert->protect.algo ) {
|
||||
case CIPHER_ALGO_NONE: BUG(); break;
|
||||
case CIPHER_ALGO_BLOWFISH160:
|
||||
case CIPHER_ALGO_BLOWFISH:
|
||||
case CIPHER_ALGO_CAST:
|
||||
if( check_cipher_algo( cert->protect.algo ) )
|
||||
rc = G10ERR_CIPHER_ALGO; /* unsupport protection algorithm */
|
||||
else {
|
||||
cipher_hd = cipher_open( cert->protect.algo,
|
||||
CIPHER_MODE_AUTO_CFB, 1 );
|
||||
cipher_setkey( cipher_hd, dek->key, dek->keylen );
|
||||
|
@ -333,11 +325,6 @@ protect_secret_key( PKT_secret_cert *cert, DEK *dek )
|
|||
if( !do_protect( &cipher_encrypt, cipher_hd, cert ) )
|
||||
cert->is_protected = 1;
|
||||
cipher_close( cipher_hd );
|
||||
break;
|
||||
|
||||
default:
|
||||
rc = G10ERR_CIPHER_ALGO; /* unsupport protection algorithm */
|
||||
break;
|
||||
}
|
||||
}
|
||||
return rc;
|
||||
|
|
|
@ -319,38 +319,6 @@ check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
|
|||
rc = G10ERR_SIG_CLASS;
|
||||
}
|
||||
}
|
||||
else if( sig->sig_class >= 0x14 && sig->sig_class <= 0x17 ) {
|
||||
/* a gnupg extension: calculate the signature over all
|
||||
* preceding userids */
|
||||
KBNODE unode = find_prev_kbnode( root, node, PKT_USER_ID );
|
||||
u32 keyid[2];
|
||||
int any = 0;
|
||||
|
||||
keyid_from_pkc( pkc, keyid );
|
||||
md = md_open( algo, 0 );
|
||||
hash_public_cert( md, pkc );
|
||||
|
||||
for( unode=root->next; unode && unode != node; unode = unode->next ) {
|
||||
if( unode->pkt->pkttype == PKT_USER_ID ) {
|
||||
hash_uid_node( unode, md, sig );
|
||||
any++;
|
||||
}
|
||||
}
|
||||
if( any ) {
|
||||
if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] ) {
|
||||
if( is_selfsig )
|
||||
*is_selfsig = 1;
|
||||
rc = do_check( pkc, sig, md );
|
||||
}
|
||||
else
|
||||
rc = signature_check( sig, md );
|
||||
}
|
||||
else {
|
||||
log_error("no user id for key signature packet\n");
|
||||
rc = G10ERR_SIG_CLASS;
|
||||
}
|
||||
md_close(md);
|
||||
}
|
||||
else {
|
||||
KBNODE unode = find_prev_kbnode( root, node, PKT_USER_ID );
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue