mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
219 lines
6.2 KiB
Plaintext
219 lines
6.2 KiB
Plaintext
A Hacker's Guide to GNUPG
|
|
================================
|
|
(Some notes on GNUPG internals.)
|
|
|
|
|
|
===> Under construction <=======
|
|
|
|
|
|
CVS Access
|
|
==========
|
|
Anonymous read-only CVS access is available:
|
|
|
|
cvs -z6 -d :pserver:anonymous@ftp.guug.de:/home/koch/cvs login
|
|
|
|
use the password "anonymous". To check out the the complete
|
|
archive use:
|
|
|
|
cvs -z6 -d :pserver:anonymous@ftp.guug.de:/home/koch/cvs checkout gnupg
|
|
|
|
This service is provided to help you in hunting bugs and not to deliver
|
|
stable snapshots; it may happen that it even does not compile, so please
|
|
don't complain. CVS may put a high load on a server, so please don't poll
|
|
poll for new updates but wait for an announcement; to receive this you may
|
|
want to subscribe to:
|
|
|
|
gnupg-commit-watchers@gnupg.org
|
|
|
|
by sending a mail with subject "subscribe" to
|
|
|
|
gnupg-commit-watchers-request@gnupg.org
|
|
|
|
|
|
Please run scripts/autogen.sh to create some required files.
|
|
|
|
|
|
RSYNC access
|
|
============
|
|
The FTP archive is also available by anonymous rsync. A daily snapshot
|
|
of the CVS head revision is also available. See rsync(1) and try
|
|
"rsync ftp.gnupg.org::" to see available resources.
|
|
|
|
|
|
|
|
RFCs
|
|
====
|
|
|
|
1423 Privacy Enhancement for Internet Electronic Mail:
|
|
Part III: Algorithms, Modes, and Identifiers.
|
|
|
|
1489 Registration of a Cyrillic Character Set.
|
|
|
|
1750 Randomness Recommendations for Security.
|
|
|
|
1991 PGP Message Exchange Formats.
|
|
|
|
2015 MIME Security with Pretty Good Privacy (PGP).
|
|
|
|
2144 The CAST-128 Encryption Algorithm.
|
|
|
|
2279 UTF-8, a transformation format of ISO 10646.
|
|
|
|
2440 OpenPGP.
|
|
|
|
|
|
|
|
Debug Flags
|
|
-----------
|
|
Use the option "--debug n" to output debug information. This option
|
|
can be used multiple times, all values are ORed; n maybe prefixed with
|
|
0x to use hex-values.
|
|
|
|
value used for
|
|
----- ----------------------------------------------
|
|
1 packet reading/writing
|
|
2 MPI details
|
|
4 ciphers and primes (may reveal sensitive data)
|
|
8 iobuf filter functions
|
|
16 iobuf stuff
|
|
32 memory allocation stuff
|
|
64 caching
|
|
128 show memory statistics at exit
|
|
256 trust verification stuff
|
|
|
|
|
|
|
|
|
|
Directory Layout
|
|
----------------
|
|
./ Readme, configure
|
|
./scripts Scripts needed by configure and others
|
|
./doc Documentation
|
|
./util General purpose utility function
|
|
./mpi Multi precision integer library
|
|
./cipher Cryptographic functions
|
|
./g10 GnuPG application
|
|
./tools Some helper and demo programs
|
|
./keybox The keybox library (under construction)
|
|
./gcrypt Stuff needed to build libgcrypt (under construction)
|
|
|
|
|
|
|
|
|
|
|
|
Memory allocation
|
|
-----------------
|
|
Use only the functions:
|
|
|
|
m_alloc()
|
|
m_alloc_clear()
|
|
m_strdup()
|
|
m_free()
|
|
|
|
If you want to store a passphrase or some other sensitive data you may
|
|
want to use m_alloc_secure() instead of m_alloc(), as this puts the data
|
|
into a memory region which is protected from swapping (on some platforms).
|
|
m_free() works for both. This functions will not return if there is not
|
|
enough memory available.
|
|
|
|
|
|
|
|
Logging
|
|
-------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Option parsing
|
|
---------------
|
|
GNUPG does not use getopt or GNU getopt but functions of it's own. See
|
|
util/argparse.c for details. The advantage of these functions is that
|
|
it is more easy to display and maintain the help texts for the options.
|
|
The same option table is also used to parse resource files.
|
|
|
|
|
|
|
|
What is an IOBUF
|
|
----------------
|
|
This is the data structure used for most I/O of gnupg. It is similar
|
|
to System V Streams but much simpler. Because OpenPGP messages are nested
|
|
in different ways; the use of such a system has big advantages. Here is
|
|
an example, how it works: If the parser sees a packet header with a partial
|
|
length, it pushes the block_filter onto the IOBUF to handle these partial
|
|
length packets: from now on you don't have to worry about this. When it sees
|
|
a compressed packet it pushes the uncompress filter and the next read byte
|
|
is one which has already been uncompressed by this filter. Same goes for
|
|
enciphered packet, plaintext packets and so on. The file g10/encode.c
|
|
might be a good staring point to see how it is used - actually this is
|
|
the other way: constructing messages using pushed filters but it may be
|
|
easier to understand.
|
|
|
|
|
|
How to use the message digest functions
|
|
---------------------------------------
|
|
cipher/md.c implements an interface to hash (message digest functions).
|
|
|
|
a) If you have a common part of data and some variable parts
|
|
and you need to hash of the concatenated parts, you can use this:
|
|
md = md_open(...)
|
|
md_write( md, common_part )
|
|
md1 = md_copy( md )
|
|
md_write(md1, part1)
|
|
md_final(md1);
|
|
digest1 = md_read(md1)
|
|
md2 = md_copy( md )
|
|
md_write(md2, part2)
|
|
md_final(md2);
|
|
digest2 = md_read(md2)
|
|
|
|
An example are key signatures; the key packet is the common part
|
|
and the user-id packets are the variable parts.
|
|
|
|
b) If you need a running digest you should use this:
|
|
md = md_open(...)
|
|
md_write( md, part1 )
|
|
digest_of_part1 = md_digest( md );
|
|
md_write( md, part2 )
|
|
digest_of_part1_cat_part2 = md_digest( md );
|
|
....
|
|
|
|
Both methods may be combined. [Please see the source for the real syntax]
|
|
|
|
|
|
|
|
|
|
How to use the cipher functions
|
|
-------------------------------
|
|
cipher/cipher.c implements the interface to symmetric encryption functions.
|
|
As usual you have a function to open a cipher (which returns a handle to be used
|
|
with all other functions), some functions to set the key and other stuff and
|
|
a encrypt and decrypt function which does the real work. YOu probably know
|
|
how to work with files - so it should really be easy to work with these
|
|
functions. Here is an example:
|
|
|
|
CIPHER_HANDLE hd;
|
|
|
|
hd = cipher_open( CIPHER_ALGO_TWOFISH, CIPHER_MODE_CFB, 0 );
|
|
if( !hd )
|
|
oops( use other funtion to check for the real error );
|
|
rc = cipher_setkey( hd, key256bit, 32 ) )
|
|
if( rc )
|
|
oops( weak key or something like this );
|
|
cipher_setiv( hd, some_IV_or_NULL_for_all_zeroes );
|
|
cipher_encrypt( hd, plain, cipher, size );
|
|
cipher_close( hd );
|
|
|
|
|
|
|
|
How to use the public key functions
|
|
-----------------------------------
|
|
cipher/pubkey.c implements the interface to asymmetric encryption and
|
|
signature functions. This is basically the same as with the symmetric
|
|
counterparts, but due to their nature it is a little bit more complicated.
|
|
|
|
[Give an example]
|
|
|
|
|