security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-03 12:11:33 +01:00
Code Activity

gpg: Prepare for signatures with ISSUER_FPR but without ISSUER.

Browse Source 
* g10/getkey.c (get_pubkey_for_sig): New.
(get_pubkeyblock_for_sig): New.
* g10/mainproc.c (issuer_fpr_raw): Give global scope.
(check_sig_and_print): Use get_pubkeyblock_for_sig.
* g10/pkclist.c (check_signatures_trust): Use get_pubkey_for_sig.
* g10/sig-check.c (check_signature2): Ditto.
(check_signature_over_key_or_uid): Ditto.
--

GnuPG-bug-id: 4046

The whole getkey stuff is still a mess with way to much duplication
and missing caching of already fetched data.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2018-07-05 20:55:32 +02:00
parent 9ea9b9db7e
commit f7526c7bc7
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
6 changed files with 60 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
g10/getkey.c
View File

@ -677,6 +677,24 @@ pk_from_block (PKT_public_key *pk, kbnode_t keyblock, kbnode_t found_key)
} }
/* Specialized version of get_pubkey which retrieves the key based on
* information in SIG. In contrast to get_pubkey PK is required. */
gpg_error_t
get_pubkey_for_sig (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig)
{
const byte *fpr;
size_t fprlen;
/* First try the new ISSUER_FPR info. */
fpr = issuer_fpr_raw (sig, &fprlen);
if (fpr && !get_pubkey_byfprint (ctrl, pk, NULL, fpr, fprlen))
return 0;
/* Fallback to use the ISSUER_KEYID. */
return get_pubkey (ctrl, pk, sig->keyid);
}
/* Return the public key with the key id KEYID and store it at PK. /* Return the public key with the key id KEYID and store it at PK.
* The resources in *PK should be released using * The resources in *PK should be released using
* release_public_key_parts(). This function also stores a copy of * release_public_key_parts(). This function also stores a copy of
@ -739,8 +757,9 @@ get_pubkey (ctrl_t ctrl, PKT_public_key * pk, u32 * keyid)
/* Do a lookup. */ /* Do a lookup. */
{ {
struct getkey_ctx_s ctx; struct getkey_ctx_s ctx;
KBNODE kb = NULL; kbnode_t kb = NULL;
KBNODE found_key = NULL; kbnode_t found_key = NULL;
memset (&ctx, 0, sizeof ctx); memset (&ctx, 0, sizeof ctx);
ctx.exact = 1; /* Use the key ID exactly as given. */ ctx.exact = 1; /* Use the key ID exactly as given. */
ctx.not_allocated = 1; ctx.not_allocated = 1;
@ -863,6 +882,28 @@ get_pubkey_fast (PKT_public_key * pk, u32 * keyid)
} }
/* Return the entire keyblock used to create SIG. This is a
* specialized version of get_pubkeyblock.
*
* FIXME: This is a hack because get_pubkey_for_sig was already called
* and it could have used a cache to hold the key. */
kbnode_t
get_pubkeyblock_for_sig (ctrl_t ctrl, PKT_signature *sig)
{
const byte *fpr;
size_t fprlen;
kbnode_t keyblock;
/* First try the new ISSUER_FPR info. */
fpr = issuer_fpr_raw (sig, &fprlen);
if (fpr && !get_pubkey_byfprint (ctrl, NULL, &keyblock, fpr, fprlen))
return keyblock;
/* Fallback to use the ISSUER_KEYID. */
return get_pubkeyblock (ctrl, sig->keyid);
}
/* Return the key block for the key with key id KEYID or NULL, if an /* Return the key block for the key with key id KEYID or NULL, if an
* error occurs. Use release_kbnode() to release the key block. * error occurs. Use release_kbnode() to release the key block.
* *
@ -1802,6 +1843,8 @@ get_pubkey_byfprint (ctrl_t ctrl, PKT_public_key *pk, kbnode_t *r_keyblock,
memset (&ctx, 0, sizeof ctx); memset (&ctx, 0, sizeof ctx);
ctx.exact = 1; ctx.exact = 1;
ctx.not_allocated = 1; ctx.not_allocated = 1;
/* FIXME: We should get the handle from the cache like we do in
* get_pubkey. */
ctx.kr_handle = keydb_new (); ctx.kr_handle = keydb_new ();
if (!ctx.kr_handle) if (!ctx.kr_handle)
return gpg_error_from_syserror (); return gpg_error_from_syserror ();

8
g10/keydb.h
View File

@ -283,6 +283,10 @@ void cache_public_key( PKT_public_key *pk );
/* Disable and drop the public key cache. */ /* Disable and drop the public key cache. */
void getkey_disable_caches(void); void getkey_disable_caches(void);
/* Return the public key used for signature SIG and store it at PK. */
gpg_error_t get_pubkey_for_sig (ctrl_t ctrl,
PKT_public_key *pk, PKT_signature *sig);
/* Return the public key with the key id KEYID and store it at PK. */ /* Return the public key with the key id KEYID and store it at PK. */
int get_pubkey (ctrl_t ctrl, PKT_public_key *pk, u32 *keyid); int get_pubkey (ctrl_t ctrl, PKT_public_key *pk, u32 *keyid);
@ -291,6 +295,10 @@ int get_pubkey (ctrl_t ctrl, PKT_public_key *pk, u32 *keyid);
also only considers primary keys. */ also only considers primary keys. */
int get_pubkey_fast (PKT_public_key *pk, u32 *keyid); int get_pubkey_fast (PKT_public_key *pk, u32 *keyid);
/* Return the entire keyblock used to create SIG. This is a
* specialized version of get_pubkeyblock. */
kbnode_t get_pubkeyblock_for_sig (ctrl_t ctrl, PKT_signature *sig);
/* Return the key block for the key with KEYID. */ /* Return the key block for the key with KEYID. */
kbnode_t get_pubkeyblock (ctrl_t ctrl, u32 *keyid); kbnode_t get_pubkeyblock (ctrl_t ctrl, u32 *keyid);

6
g10/mainproc.c
View File

@ -1751,7 +1751,7 @@ akl_has_wkd_method (void)
/* Return the ISSUER fingerprint buffer and its lenbgth at R_LEN. /* Return the ISSUER fingerprint buffer and its lenbgth at R_LEN.
* Returns NULL if not available. The returned buffer is valid as * Returns NULL if not available. The returned buffer is valid as
* long as SIG is not modified. */ * long as SIG is not modified. */
static const byte * const byte *
issuer_fpr_raw (PKT_signature *sig, size_t *r_len) issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
{ {
const byte *p; const byte *p;
@ -1768,7 +1768,7 @@ issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
} }
/* Return the ISSUER fingerprint string in human readbale format if /* Return the ISSUER fingerprint string in human readable format if
* available. Caller must release the string. */ * available. Caller must release the string. */
/* FIXME: Move to another file. */ /* FIXME: Move to another file. */
char * char *
@ -2134,7 +2134,7 @@ check_sig_and_print (CTX c, kbnode_t node)
* keyblock has already been fetched. Thus we could use the * keyblock has already been fetched. Thus we could use the
* fingerprint or PK itself to lookup the entire keyblock. That * fingerprint or PK itself to lookup the entire keyblock. That
* would best be done with a cache. */ * would best be done with a cache. */
keyblock = get_pubkeyblock (c->ctrl, sig->keyid); keyblock = get_pubkeyblock_for_sig (c->ctrl, sig);
snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ", snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
(ulong)sig->keyid[0], (ulong)sig->keyid[1]); (ulong)sig->keyid[0], (ulong)sig->keyid[1]);

1
g10/packet.h
View File

@ -621,6 +621,7 @@ int proc_signature_packets_by_fd (ctrl_t ctrl,
int proc_encryption_packets (ctrl_t ctrl, void *ctx, iobuf_t a); int proc_encryption_packets (ctrl_t ctrl, void *ctx, iobuf_t a);
int list_packets( iobuf_t a ); int list_packets( iobuf_t a );
const byte *issuer_fpr_raw (PKT_signature *sig, size_t *r_len);
char *issuer_fpr_string (PKT_signature *sig); char *issuer_fpr_string (PKT_signature *sig);
/*-- parse-packet.c --*/ /*-- parse-packet.c --*/

2
g10/pkclist.c
View File

@ -548,7 +548,7 @@ check_signatures_trust (ctrl_t ctrl, PKT_signature *sig)
unsigned int trustlevel = TRUST_UNKNOWN; unsigned int trustlevel = TRUST_UNKNOWN;
int rc=0; int rc=0;
rc = get_pubkey (ctrl, pk, sig->keyid ); rc = get_pubkey_for_sig (ctrl, pk, sig);
if (rc) if (rc)
{ /* this should not happen */ { /* this should not happen */
log_error("Ooops; the key vanished - can't check the trust\n"); log_error("Ooops; the key vanished - can't check the trust\n");

4
g10/sig-check.c
View File

@ -156,7 +156,7 @@ check_signature2 (ctrl_t ctrl,
log_info(_("WARNING: signature digest conflict in message\n")); log_info(_("WARNING: signature digest conflict in message\n"));
rc = gpg_error (GPG_ERR_GENERAL); rc = gpg_error (GPG_ERR_GENERAL);
} }
else if (get_pubkey (ctrl, pk, sig->keyid)) else if (get_pubkey_for_sig (ctrl, pk, sig))
rc = gpg_error (GPG_ERR_NO_PUBKEY); rc = gpg_error (GPG_ERR_NO_PUBKEY);
else if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, else if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
pk->pubkey_algo, pk->pkey, pk->pubkey_algo, pk->pkey,
@ -926,7 +926,7 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
if (IS_CERT (sig)) if (IS_CERT (sig))
signer->req_usage = PUBKEY_USAGE_CERT; signer->req_usage = PUBKEY_USAGE_CERT;
rc = get_pubkey (ctrl, signer, sig->keyid); rc = get_pubkey_for_sig (ctrl, signer, sig);
if (rc) if (rc)
{ {
xfree (signer); xfree (signer);