From a6142dbdbc5783043deb847dc64998c421860941 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 30 Mar 2017 15:18:45 +0200 Subject: [PATCH] gpg: Remove the use of the signature information from a KBX. * g10/keydb.c (keyblock_cache): Remove field SIGSTATUS. (keyblock_cache_clear): Adjust for that removal. (parse_keyblock_image): Remove arg SIGSTATUS. Remove the signature cache setting; this is now done in the parser. (keydb_get_keyblock): Do not set SIGSTATUS. (build_keyblock_image): Remove arg SIGSTATUS and simplify. Change caller. * kbx/keybox-blob.c: Explain that the signature information is not anymore used. (_keybox_create_openpgp_blob): Remove arg SIGSTATUS and change callers. * kbx/keybox-search.c (keybox_get_keyblock): Remove arg R_SIGSTATUS and change callers. * kbx/keybox-update.c (keybox_insert_keyblock): Likewise. -- This thing was too complicated and has been replaced by the new ring trust packet code. Signed-off-by: Werner Koch --- g10/keydb.c | 115 ++++---------------------------------------- kbx/kbxutil.c | 3 +- kbx/keybox-blob.c | 12 ++--- kbx/keybox-defs.h | 1 - kbx/keybox-search.c | 23 ++------- kbx/keybox-update.c | 11 ++--- kbx/keybox.h | 5 +- 7 files changed, 25 insertions(+), 145 deletions(-) diff --git a/g10/keydb.c b/g10/keydb.c index 67957f83e..b255c3fff 100644 --- a/g10/keydb.c +++ b/g10/keydb.c @@ -82,7 +82,6 @@ struct keyblock_cache { enum keyblock_cache_states state; byte fpr[MAX_FINGERPRINT_LEN]; iobuf_t iobuf; /* Image of the keyblock. */ - u32 *sigstatus; int pk_no; int uid_no; /* Offset of the record in the keybox. */ @@ -248,8 +247,6 @@ static void keyblock_cache_clear (struct keydb_handle *hd) { hd->keyblock_cache.state = KEYBLOCK_CACHE_EMPTY; - xfree (hd->keyblock_cache.sigstatus); - hd->keyblock_cache.sigstatus = NULL; iobuf_close (hd->keyblock_cache.iobuf); hd->keyblock_cache.iobuf = NULL; hd->keyblock_cache.resource = -1; @@ -1153,7 +1150,7 @@ keydb_pop_found_state (KEYDB_HANDLE hd) static gpg_error_t parse_keyblock_image (iobuf_t iobuf, int pk_no, int uid_no, - const u32 *sigstatus, kbnode_t *r_keyblock) + kbnode_t *r_keyblock) { gpg_error_t err; struct parse_packet_ctx_s parsectx; @@ -1161,7 +1158,6 @@ parse_keyblock_image (iobuf_t iobuf, int pk_no, int uid_no, kbnode_t keyblock = NULL; kbnode_t node, *tail; int in_cert, save_mode; - u32 n_sigs; int pk_count, uid_count; *r_keyblock = NULL; @@ -1173,7 +1169,6 @@ parse_keyblock_image (iobuf_t iobuf, int pk_no, int uid_no, init_parse_packet (&parsectx, iobuf); save_mode = set_packet_list_mode (0); in_cert = 0; - n_sigs = 0; tail = NULL; pk_count = uid_count = 0; while ((err = parse_packet (&parsectx, pkt)) != -1) @@ -1233,36 +1228,6 @@ parse_keyblock_image (iobuf_t iobuf, int pk_no, int uid_no, } in_cert = 1; - if (pkt->pkttype == PKT_SIGNATURE && sigstatus) - { - PKT_signature *sig = pkt->pkt.signature; - - n_sigs++; - if (n_sigs > sigstatus[0]) - { - log_error ("parse_keyblock_image: " - "more signatures than found in the meta data\n"); - err = gpg_error (GPG_ERR_INV_KEYRING); - break; - - } - if (sigstatus[n_sigs]) - { - sig->flags.checked = 1; - if (sigstatus[n_sigs] == 1 ) - ; /* missing key */ - else if (sigstatus[n_sigs] == 2 ) - ; /* bad signature */ - else if (sigstatus[n_sigs] < 0x10000000) - ; /* bad flag */ - else - { - sig->flags.valid = 1; - /* Fixme: Shall we set the expired flag here? */ - } - } - } - node = new_kbnode (pkt); switch (pkt->pkttype) @@ -1302,12 +1267,6 @@ parse_keyblock_image (iobuf_t iobuf, int pk_no, int uid_no, if (err == -1 && keyblock) err = 0; /* Got the entire keyblock. */ - if (!err && sigstatus && n_sigs != sigstatus[0]) - { - log_error ("parse_keyblock_image: signature count does not match\n"); - err = gpg_error (GPG_ERR_INV_KEYRING); - } - if (err) release_kbnode (keyblock); else @@ -1354,7 +1313,6 @@ keydb_get_keyblock (KEYDB_HANDLE hd, KBNODE *ret_kb) err = parse_keyblock_image (hd->keyblock_cache.iobuf, hd->keyblock_cache.pk_no, hd->keyblock_cache.uid_no, - hd->keyblock_cache.sigstatus, ret_kb); if (err) keyblock_cache_clear (hd); @@ -1379,26 +1337,22 @@ keydb_get_keyblock (KEYDB_HANDLE hd, KBNODE *ret_kb) case KEYDB_RESOURCE_TYPE_KEYBOX: { iobuf_t iobuf; - u32 *sigstatus; int pk_no, uid_no; err = keybox_get_keyblock (hd->active[hd->found].u.kb, - &iobuf, &pk_no, &uid_no, &sigstatus); + &iobuf, &pk_no, &uid_no); if (!err) { - err = parse_keyblock_image (iobuf, pk_no, uid_no, sigstatus, - ret_kb); + err = parse_keyblock_image (iobuf, pk_no, uid_no, ret_kb); if (!err && hd->keyblock_cache.state == KEYBLOCK_CACHE_PREPARED) { hd->keyblock_cache.state = KEYBLOCK_CACHE_FILLED; - hd->keyblock_cache.sigstatus = sigstatus; hd->keyblock_cache.iobuf = iobuf; hd->keyblock_cache.pk_no = pk_no; hd->keyblock_cache.uid_no = uid_no; } else { - xfree (sigstatus); iobuf_close (iobuf); } } @@ -1417,39 +1371,18 @@ keydb_get_keyblock (KEYDB_HANDLE hd, KBNODE *ret_kb) /* Build a keyblock image from KEYBLOCK. Returns 0 on success and - only then stores a new iobuf object at R_IOBUF and a signature - status vecotor at R_SIGSTATUS. */ + * only then stores a new iobuf object at R_IOBUF. */ static gpg_error_t -build_keyblock_image (kbnode_t keyblock, iobuf_t *r_iobuf, u32 **r_sigstatus) +build_keyblock_image (kbnode_t keyblock, iobuf_t *r_iobuf) { gpg_error_t err; iobuf_t iobuf; kbnode_t kbctx, node; - u32 n_sigs; - u32 *sigstatus; *r_iobuf = NULL; - if (r_sigstatus) - *r_sigstatus = NULL; - - /* Allocate a vector for the signature cache. This is an array of - u32 values with the first value giving the number of elements to - follow and each element descriping the cache status of the - signature. */ - if (r_sigstatus) - { - for (kbctx=NULL, n_sigs=0; (node = walk_kbnode (keyblock, &kbctx, 0));) - if (node->pkt->pkttype == PKT_SIGNATURE) - n_sigs++; - sigstatus = xtrycalloc (1+n_sigs, sizeof *sigstatus); - if (!sigstatus) - return gpg_error_from_syserror (); - } - else - sigstatus = NULL; iobuf = iobuf_temp (); - for (kbctx = NULL, n_sigs = 0; (node = walk_kbnode (keyblock, &kbctx, 0));) + for (kbctx = NULL; (node = walk_kbnode (keyblock, &kbctx, 0));) { /* Make sure to use only packets valid on a keyblock. */ switch (node->pkt->pkttype) @@ -1471,36 +1404,9 @@ build_keyblock_image (kbnode_t keyblock, iobuf_t *r_iobuf, u32 **r_sigstatus) iobuf_close (iobuf); return err; } - - /* Build signature status vector. */ - if (node->pkt->pkttype == PKT_SIGNATURE) - { - PKT_signature *sig = node->pkt->pkt.signature; - - n_sigs++; - /* Fixme: Detect the "missing key" status. */ - if (sig->flags.checked && sigstatus) - { - if (sig->flags.valid) - { - if (!sig->expiredate) - sigstatus[n_sigs] = 0xffffffff; - else if (sig->expiredate < 0x1000000) - sigstatus[n_sigs] = 0x10000000; - else - sigstatus[n_sigs] = sig->expiredate; - } - else - sigstatus[n_sigs] = 0x00000002; /* Bad signature. */ - } - } } - if (sigstatus) - sigstatus[0] = n_sigs; *r_iobuf = iobuf; - if (r_sigstatus) - *r_sigstatus = sigstatus; return 0; } @@ -1574,7 +1480,7 @@ keydb_update_keyblock (ctrl_t ctrl, KEYDB_HANDLE hd, kbnode_t kb) { iobuf_t iobuf; - err = build_keyblock_image (kb, &iobuf, NULL); + err = build_keyblock_image (kb, &iobuf); if (!err) { err = keybox_update_keyblock (hd->active[hd->found].u.kb, @@ -1641,16 +1547,13 @@ keydb_insert_keyblock (KEYDB_HANDLE hd, kbnode_t kb) included in the keybox code. Eventually we can change this kludge to have the caller pass the image. */ iobuf_t iobuf; - u32 *sigstatus; - err = build_keyblock_image (kb, &iobuf, &sigstatus); + err = build_keyblock_image (kb, &iobuf); if (!err) { err = keybox_insert_keyblock (hd->active[idx].u.kb, iobuf_get_temp_buffer (iobuf), - iobuf_get_temp_length (iobuf), - sigstatus); - xfree (sigstatus); + iobuf_get_temp_length (iobuf)); iobuf_close (iobuf); } } diff --git a/kbx/kbxutil.c b/kbx/kbxutil.c index 609429884..08892310f 100644 --- a/kbx/kbxutil.c +++ b/kbx/kbxutil.c @@ -411,8 +411,7 @@ import_openpgp (const char *filename, int dryrun) dump_openpgp_key (&info, p); else { - err = _keybox_create_openpgp_blob (&blob, &info, p, nparsed, - NULL, 0); + err = _keybox_create_openpgp_blob (&blob, &info, p, nparsed, 0); if (err) { fflush (stdout); diff --git a/kbx/keybox-blob.c b/kbx/keybox-blob.c index f3bdceb3e..82f1cfec3 100644 --- a/kbx/keybox-blob.c +++ b/kbx/keybox-blob.c @@ -101,7 +101,9 @@ - u16 [NSIGS] Number of signatures - u16 Size of signature information (4) - NSIGS times: - - u32 Expiration time of signature with some special values: + - u32 Expiration time of signature with some special values. + Since version 2.1.20 these special valuesare not anymore + used for OpenPGP: - 0x00000000 = not checked - 0x00000001 = missing key - 0x00000002 = bad signature @@ -705,7 +707,6 @@ _keybox_create_openpgp_blob (KEYBOXBLOB *r_blob, keybox_openpgp_info_t info, const unsigned char *image, size_t imagelen, - u32 *sigstatus, int as_ephemeral) { gpg_error_t err; @@ -713,11 +714,6 @@ _keybox_create_openpgp_blob (KEYBOXBLOB *r_blob, *r_blob = NULL; - /* If we have a signature status vector, check that the number of - elements matches the actual number of signatures. */ - if (sigstatus && sigstatus[0] != info->nsigs) - return gpg_error (GPG_ERR_INTERNAL); - blob = xtrycalloc (1, sizeof *blob); if (!blob) return gpg_error_from_syserror (); @@ -756,7 +752,7 @@ _keybox_create_openpgp_blob (KEYBOXBLOB *r_blob, if (err) goto leave; pgp_create_uid_part (blob, info); - pgp_create_sig_part (blob, sigstatus); + pgp_create_sig_part (blob, NULL); init_membuf (&blob->bufbuf, 1024); blob->buf = &blob->bufbuf; diff --git a/kbx/keybox-defs.h b/kbx/keybox-defs.h index d9c3d3afe..b8b83771a 100644 --- a/kbx/keybox-defs.h +++ b/kbx/keybox-defs.h @@ -155,7 +155,6 @@ gpg_error_t _keybox_create_openpgp_blob (KEYBOXBLOB *r_blob, keybox_openpgp_info_t info, const unsigned char *image, size_t imagelen, - u32 *sigstatus, int as_ephemeral); #ifdef KEYBOX_WITH_X509 int _keybox_create_x509_blob (KEYBOXBLOB *r_blob, ksba_cert_t cert, diff --git a/kbx/keybox-search.c b/kbx/keybox-search.c index cc114c64c..56515d16a 100644 --- a/kbx/keybox-search.c +++ b/kbx/keybox-search.c @@ -1048,23 +1048,20 @@ keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc, /* Return the last found keyblock. Returns 0 on success and stores a - new iobuf at R_IOBUF and a signature status vector at R_SIGSTATUS - in that case. R_UID_NO and R_PK_NO are used to retun the number of - the key or user id which was matched the search criteria; if not - known they are set to 0. */ + * new iobuf at R_IOBUF. R_UID_NO and R_PK_NO are used to retun the + * number of the key or user id which was matched the search criteria; + * if not known they are set to 0. */ gpg_error_t keybox_get_keyblock (KEYBOX_HANDLE hd, iobuf_t *r_iobuf, - int *r_pk_no, int *r_uid_no, u32 **r_sigstatus) + int *r_pk_no, int *r_uid_no) { gpg_error_t err; - const unsigned char *buffer, *p; + const unsigned char *buffer; size_t length; size_t image_off, image_len; size_t siginfo_off, siginfo_len; - u32 *sigstatus, n, n_sigs, sigilen; *r_iobuf = NULL; - *r_sigstatus = NULL; if (!hd) return gpg_error (GPG_ERR_INV_VALUE); @@ -1086,19 +1083,9 @@ keybox_get_keyblock (KEYBOX_HANDLE hd, iobuf_t *r_iobuf, &siginfo_off, &siginfo_len); if (err) return err; - n_sigs = get16 (buffer + siginfo_off); - sigilen = get16 (buffer + siginfo_off + 2); - p = buffer + siginfo_off + 4; - sigstatus = xtrymalloc ((1+n_sigs) * sizeof *sigstatus); - if (!sigstatus) - return gpg_error_from_syserror (); - sigstatus[0] = n_sigs; - for (n=1; n <= n_sigs; n++, p += sigilen) - sigstatus[n] = get32 (p); *r_pk_no = hd->found.pk_no; *r_uid_no = hd->found.uid_no; - *r_sigstatus = sigstatus; *r_iobuf = iobuf_temp_with_content (buffer+image_off, image_len); return 0; } diff --git a/kbx/keybox-update.c b/kbx/keybox-update.c index 31171dea4..0b0f56bce 100644 --- a/kbx/keybox-update.c +++ b/kbx/keybox-update.c @@ -353,12 +353,9 @@ blob_filecopy (int mode, const char *fname, KEYBOXBLOB blob, } -/* Insert the OpenPGP keyblock {IMAGE,IMAGELEN} into HD. SIGSTATUS is - a vector describing the status of the signatures; its first element - gives the number of following elements. */ +/* Insert the OpenPGP keyblock {IMAGE,IMAGELEN} into HD. */ gpg_error_t -keybox_insert_keyblock (KEYBOX_HANDLE hd, const void *image, size_t imagelen, - u32 *sigstatus) +keybox_insert_keyblock (KEYBOX_HANDLE hd, const void *image, size_t imagelen) { gpg_error_t err; const char *fname; @@ -385,7 +382,7 @@ keybox_insert_keyblock (KEYBOX_HANDLE hd, const void *image, size_t imagelen, return err; assert (nparsed <= imagelen); err = _keybox_create_openpgp_blob (&blob, &info, image, imagelen, - sigstatus, hd->ephemeral); + hd->ephemeral); _keybox_destroy_openpgp_info (&info); if (!err) { @@ -436,7 +433,7 @@ keybox_update_keyblock (KEYBOX_HANDLE hd, const void *image, size_t imagelen) return err; assert (nparsed <= imagelen); err = _keybox_create_openpgp_blob (&blob, &info, image, imagelen, - NULL, hd->ephemeral); + hd->ephemeral); _keybox_destroy_openpgp_info (&info); /* Update the keyblock. */ diff --git a/kbx/keybox.h b/kbx/keybox.h index 5c2824a7f..29884b05f 100644 --- a/kbx/keybox.h +++ b/kbx/keybox.h @@ -85,7 +85,7 @@ int _keybox_write_header_blob (FILE *fp, int openpgp_flag); /*-- keybox-search.c --*/ gpg_error_t keybox_get_keyblock (KEYBOX_HANDLE hd, iobuf_t *r_iobuf, - int *r_uid_no, int *r_pk_no, u32 **sigstatus); + int *r_uid_no, int *r_pk_no); #ifdef KEYBOX_WITH_X509 int keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *ret_cert); #endif /*KEYBOX_WITH_X509*/ @@ -102,8 +102,7 @@ gpg_error_t keybox_seek (KEYBOX_HANDLE hd, off_t offset); /*-- keybox-update.c --*/ gpg_error_t keybox_insert_keyblock (KEYBOX_HANDLE hd, - const void *image, size_t imagelen, - u32 *sigstatus); + const void *image, size_t imagelen); gpg_error_t keybox_update_keyblock (KEYBOX_HANDLE hd, const void *image, size_t imagelen);