From e87a22655de485af790db1d4c51f4bc166a2bbd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20THIERRY?= Date: Thu, 13 Nov 2014 09:26:18 +0100 Subject: Imported Upstream version 2.0.26 --- sm/Makefile.am | 16 +-- sm/Makefile.in | 75 +++++++++--- sm/certchain.c | 234 +++++++++++++++++++++-------------- sm/certcheck.c | 20 +-- sm/certlist.c | 8 +- sm/certreqgen.c | 58 ++++----- sm/decrypt.c | 2 +- sm/encrypt.c | 2 +- sm/gpgsm-w32info.rc | 50 ++++++++ sm/gpgsm.c | 11 +- sm/gpgsm.h | 15 +-- sm/keydb.c | 347 +++++++++++++++++++++++++++++++++++++++------------- sm/keydb.h | 2 + sm/server.c | 2 +- sm/sign.c | 64 +++++----- sm/verify.c | 58 ++++----- 16 files changed, 648 insertions(+), 316 deletions(-) create mode 100644 sm/gpgsm-w32info.rc (limited to 'sm') diff --git a/sm/Makefile.am b/sm/Makefile.am index d945d71..8e1dc97 100644 --- a/sm/Makefile.am +++ b/sm/Makefile.am @@ -20,13 +20,17 @@ bin_PROGRAMS = gpgsm -EXTRA_DIST = ChangeLog-2011 +EXTRA_DIST = ChangeLog-2011 gpgsm-w32info.rc -AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(KSBA_CFLAGS) $(LIBASSUAN_CFLAGS) +AM_CFLAGS = $(GPG_ERROR_CFLAGS) $(LIBGCRYPT_CFLAGS) \ + $(KSBA_CFLAGS) $(LIBASSUAN_CFLAGS) AM_CPPFLAGS = -I$(top_srcdir)/gl -I$(top_srcdir)/common -I$(top_srcdir)/intl include $(top_srcdir)/am/cmacros.am +if HAVE_W32_SYSTEM +resource_objs += gpgsm-w32info.o +endif gpgsm_SOURCES = \ gpgsm.c gpgsm.h \ @@ -59,13 +63,9 @@ common_libs = $(libcommon) ../kbx/libkeybox.a ../jnlib/libjnlib.a \ gpgsm_LDADD = $(common_libs) ../common/libgpgrl.a $(NETLIBS) \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(LIBASSUAN_LIBS) \ - $(GPG_ERROR_LIBS) $(LIBREADLINE) $(LIBINTL) $(ZLIBS) $(LIBICONV) + $(GPG_ERROR_LIBS) $(LIBREADLINE) $(LIBINTL) $(ZLIBS) \ + $(LIBICONV) $(resource_objs) # Make sure that all libs are build before we use them. This is # important for things like make -j2. $(PROGRAMS): $(common_libs) - - - - - diff --git a/sm/Makefile.in b/sm/Makefile.in index b1cd1da..e649983 100644 --- a/sm/Makefile.in +++ b/sm/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -41,16 +41,33 @@ # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. -# +# # GnuPG is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. -# +# # You should have received a copy of the GNU General Public License # along with this program; if not, see . VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \ + | grep '^AM OK$$' >/dev/null || am__dry=yes;; \ + *) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + *=*|--*) ;; \ + *n*) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -87,6 +104,7 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ @GNUPG_SCDAEMON_PGM_TRUE@am__append_4 = -DGNUPG_DEFAULT_SCDAEMON="\"@GNUPG_SCDAEMON_PGM@\"" @GNUPG_DIRMNGR_PGM_TRUE@am__append_5 = -DGNUPG_DEFAULT_DIRMNGR="\"@GNUPG_DIRMNGR_PGM@\"" @GNUPG_PROTECT_TOOL_PGM_TRUE@am__append_6 = -DGNUPG_DEFAULT_PROTECT_TOOL="\"@GNUPG_PROTECT_TOOL_PGM@\"" +@HAVE_W32_SYSTEM_TRUE@am__append_7 = gpgsm-w32info.o subdir = sm ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/gl/m4/absolute-header.m4 \ @@ -134,7 +152,7 @@ gpgsm_DEPENDENCIES = $(common_libs) ../common/libgpgrl.a \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) + $(am__DEPENDENCIES_1) $(resource_objs) DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/scripts/depcomp am__depfiles_maybe = depfiles @@ -145,6 +163,11 @@ CCLD = $(CC) LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ SOURCES = $(gpgsm_SOURCES) DIST_SOURCES = $(gpgsm_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -164,7 +187,11 @@ BITSIZEOF_SIG_ATOMIC_T = @BITSIZEOF_SIG_ATOMIC_T@ BITSIZEOF_SIZE_T = @BITSIZEOF_SIZE_T@ BITSIZEOF_WCHAR_T = @BITSIZEOF_WCHAR_T@ BITSIZEOF_WINT_T = @BITSIZEOF_WINT_T@ +BUILD_FILEVERSION = @BUILD_FILEVERSION@ +BUILD_HOSTNAME = @BUILD_HOSTNAME@ BUILD_INCLUDED_LIBINTL = @BUILD_INCLUDED_LIBINTL@ +BUILD_REVISION = @BUILD_REVISION@ +BUILD_TIMESTAMP = @BUILD_TIMESTAMP@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -342,12 +369,15 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -EXTRA_DIST = ChangeLog-2011 -AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(KSBA_CFLAGS) $(LIBASSUAN_CFLAGS) +EXTRA_DIST = ChangeLog-2011 gpgsm-w32info.rc +AM_CFLAGS = $(GPG_ERROR_CFLAGS) $(LIBGCRYPT_CFLAGS) \ + $(KSBA_CFLAGS) $(LIBASSUAN_CFLAGS) + AM_CPPFLAGS = -I$(top_srcdir)/gl -I$(top_srcdir)/common \ -I$(top_srcdir)/intl -DLOCALEDIR=\"$(localedir)\" \ $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_4) $(am__append_5) $(am__append_6) +resource_objs = $(am__append_7) # Convenience macros libcommon = ../common/libcommon.a @@ -382,12 +412,13 @@ common_libs = $(libcommon) ../kbx/libkeybox.a ../jnlib/libjnlib.a \ gpgsm_LDADD = $(common_libs) ../common/libgpgrl.a $(NETLIBS) \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(LIBASSUAN_LIBS) \ - $(GPG_ERROR_LIBS) $(LIBREADLINE) $(LIBINTL) $(ZLIBS) $(LIBICONV) + $(GPG_ERROR_LIBS) $(LIBREADLINE) $(LIBINTL) $(ZLIBS) \ + $(LIBICONV) $(resource_objs) all: all-am .SUFFIXES: -.SUFFIXES: .c .o .obj +.SUFFIXES: .c .o .obj .rc $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/am/cmacros.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -409,6 +440,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; +$(top_srcdir)/am/cmacros.am: $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh @@ -420,8 +452,11 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) $(am__aclocal_m4_deps): install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)" @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ + fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p; \ @@ -455,7 +490,7 @@ uninstall-binPROGRAMS: clean-binPROGRAMS: -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) -gpgsm$(EXEEXT): $(gpgsm_OBJECTS) $(gpgsm_DEPENDENCIES) +gpgsm$(EXEEXT): $(gpgsm_OBJECTS) $(gpgsm_DEPENDENCIES) $(EXTRA_gpgsm_DEPENDENCIES) @rm -f gpgsm$(EXEEXT) $(LINK) $(gpgsm_OBJECTS) $(gpgsm_LDADD) $(LIBS) @@ -602,10 +637,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: @@ -702,6 +742,9 @@ uninstall-am: uninstall-binPROGRAMS uninstall-am uninstall-binPROGRAMS +@HAVE_W32_SYSTEM_TRUE@.rc.o: +@HAVE_W32_SYSTEM_TRUE@ $(WINDRES) $(DEFAULT_INCLUDES) $(INCLUDES) "$<" "$@" + # Make sure that all libs are build before we use them. This is # important for things like make -j2. $(PROGRAMS): $(common_libs) diff --git a/sm/certchain.c b/sm/certchain.c index f4ad214..1fbe9ca 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -23,7 +23,7 @@ #include #include #include -#include +#include #include #include #include @@ -193,7 +193,7 @@ has_validation_model_chain (ksba_cert_t cert, int listmode, estream_t listfp) if (opt.verbose) do_list (0, listmode, listfp, - _("validation model requested by certificate: %s"), + _("validation model requested by certificate: %s"), !strcmp (oidbuf, "1.3.6.1.4.1.8301.3.5.1")? _("chain") : !strcmp (oidbuf, "1.3.6.1.4.1.8301.3.5.2")? _("shell") : /* */ oidbuf); @@ -274,9 +274,9 @@ unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp) /* Check whether CERT is an allowed certificate. This requires that CERT matches all requirements for such a CA, i.e. the BasicConstraints extension. The function returns 0 on success and - the awlloed length of the chain at CHAINLEN. */ + the allowed length of the chain at CHAINLEN. */ static int -allowed_ca (ctrl_t ctrl, +allowed_ca (ctrl_t ctrl, ksba_cert_t cert, int *chainlen, int listmode, estream_t fp) { gpg_error_t err; @@ -327,7 +327,7 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) any_critical = !!strstr (policies, ":C"); if (!opt.policy_file) - { + { xfree (policies); if (any_critical) { @@ -358,7 +358,7 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) return gpg_error (GPG_ERR_NO_POLICY_MATCH); } - for (;;) + for (;;) { int c; char *p, line[256]; @@ -389,7 +389,7 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) fclose (fp); return tmperr; } - + if (!*line || line[strlen(line)-1] != '\n') { /* eat until end of line */ @@ -400,13 +400,13 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) return gpg_error (*line? GPG_ERR_LINE_TOO_LONG : GPG_ERR_INCOMPLETE_LINE); } - + /* Allow for empty lines and spaces */ for (p=line; spacep (p); p++) ; } while (!*p || *p == '\n' || *p == '#'); - + /* parse line */ for (allowed=line; spacep (allowed); allowed++) ; @@ -444,6 +444,8 @@ find_up_search_by_keyid (KEYDB_HANDLE kh, int rc; ksba_cert_t cert = NULL; ksba_sexp_t subj = NULL; + int anyfound = 0; + ksba_isotime_t not_before, last_not_before; keydb_search_reset (kh); while (!(rc = keydb_search_subject (kh, issuer))) @@ -460,10 +462,37 @@ find_up_search_by_keyid (KEYDB_HANDLE kh, if (!ksba_cert_get_subj_key_id (cert, NULL, &subj)) { if (!cmp_simple_canon_sexp (keyid, subj)) - break; /* Found matching cert. */ + { + /* Found matching cert. */ + rc = ksba_cert_get_validity (cert, 0, not_before); + if (rc) + { + log_error ("keydb_get_validity() failed: rc=%d\n", rc); + rc = -1; + break; + } + + if (!anyfound || strcmp (last_not_before, not_before) < 0) + { + /* This certificate is the first one found or newer + than the previous one. This copes with + re-issuing CA certificates while keeping the same + key information. */ + anyfound = 1; + gnupg_copy_time (last_not_before, not_before); + keydb_push_found_state (kh); + } + } } } - + + if (anyfound) + { + /* Take the last saved one. */ + keydb_pop_found_state (kh); + rc = 0; /* Ignore EOF or other error after the first cert. */ + } + ksba_cert_release (cert); xfree (subj); return rc? -1:0; @@ -493,7 +522,7 @@ find_up_external (ctrl_t ctrl, KEYDB_HANDLE kh, int count = 0; char *pattern; const char *s; - + if (opt.verbose) log_info (_("looking up issuer at external location\n")); /* The Dirmngr process is confused about unknown attributes. As a @@ -515,7 +544,7 @@ find_up_external (ctrl_t ctrl, KEYDB_HANDLE kh, if (opt.verbose) log_info (_("number of issuers matching: %d\n"), count); - if (rc) + if (rc) { log_error ("external key lookup failed: %s\n", gpg_strerror (rc)); rc = -1; @@ -556,7 +585,7 @@ find_up_dirmngr (ctrl_t ctrl, KEYDB_HANDLE kh, char *pattern; (void)kh; - + if (opt.verbose) log_info (_("looking up issuer from the Dirmngr cache\n")); if (subject_mode) @@ -583,7 +612,7 @@ find_up_dirmngr (ctrl_t ctrl, KEYDB_HANDLE kh, if (opt.verbose) log_info (_("number of matching certificates: %d\n"), count); - if (rc && !opt.quiet) + if (rc && !opt.quiet) log_info (_("dirmngr cache-only key lookup failed: %s\n"), gpg_strerror (rc)); return (!rc && count)? 0 : -1; @@ -598,7 +627,7 @@ find_up_dirmngr (ctrl_t ctrl, KEYDB_HANDLE kh, keydb_get_cert on the keyDb context KH will return it. Returns 0 on success, -1 if not found or an error code. */ static int -find_up (ctrl_t ctrl, KEYDB_HANDLE kh, +find_up (ctrl_t ctrl, KEYDB_HANDLE kh, ksba_cert_t cert, const char *issuer, int find_next) { ksba_name_t authid; @@ -606,6 +635,8 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, ksba_sexp_t keyid; int rc = -1; + if (DBG_X509) + log_debug ("looking for parent certificate\n"); if (!ksba_cert_get_auth_key_id (cert, &keyid, &authid, &authidno)) { const char *s = ksba_name_enum (authid, 0); @@ -614,7 +645,10 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, rc = keydb_search_issuer_sn (kh, s, authidno); if (rc) keydb_search_reset (kh); - + + if (!rc && DBG_X509) + log_debug (" found via authid and sn+issuer\n"); + /* In case of an error, try to get the certificate from the dirmngr. That is done by trying to put that certifcate into the ephemeral DB and let the code below do the @@ -627,17 +661,20 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, that in find_next mode because we can't keep the search state then. */ if (rc == -1 && !find_next) - { + { int old = keydb_set_ephemeral (kh, 1); if (!old) { rc = keydb_search_issuer_sn (kh, s, authidno); if (rc) keydb_search_reset (kh); + + if (!rc && DBG_X509) + log_debug (" found via authid and sn+issuer (ephem)\n"); } keydb_set_ephemeral (kh, old); } - if (rc) + if (rc) rc = -1; /* Need to make sure to have this error code. */ } @@ -649,14 +686,18 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, subjectKeyIdentifier. */ /* Fixme: Should we also search in the dirmngr? */ rc = find_up_search_by_keyid (kh, issuer, keyid); + if (!rc && DBG_X509) + log_debug (" found via authid and keyid\n"); if (rc) { int old = keydb_set_ephemeral (kh, 1); if (!old) rc = find_up_search_by_keyid (kh, issuer, keyid); + if (!rc && DBG_X509) + log_debug (" found via authid and keyid (ephem)\n"); keydb_set_ephemeral (kh, old); } - if (rc) + if (rc) rc = -1; /* Need to make sure to have this error code. */ } @@ -676,13 +717,21 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, } keydb_set_ephemeral (kh, old); } - if (rc) + if (rc) rc = -1; /* Need to make sure to have this error code. */ + + if (!rc && DBG_X509) + log_debug (" found via authid and issuer from dirmngr cache\n"); } /* If we still didn't found it, try an external lookup. */ if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next) - rc = find_up_external (ctrl, kh, issuer, keyid); + { + rc = find_up_external (ctrl, kh, issuer, keyid); + if (!rc && DBG_X509) + log_debug (" found via authid and external lookup\n"); + } + /* Print a note so that the user does not feel too helpless when an issuer certificate was found and gpgsm prints BAD @@ -714,7 +763,7 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, ksba_name_release (authid); xfree (authidno); } - + if (rc) /* Not found via authorithyKeyIdentifier, try regular issuer name. */ rc = keydb_search_subject (kh, issuer); if (rc == -1 && !find_next) @@ -733,11 +782,18 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, rc = keydb_search_subject (kh, issuer); } keydb_set_ephemeral (kh, old); + + if (!rc && DBG_X509) + log_debug (" found via issuer\n"); } /* Still not found. If enabled, try an external lookup. */ if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next) - rc = find_up_external (ctrl, kh, issuer, NULL); + { + rc = find_up_external (ctrl, kh, issuer, NULL); + if (!rc && DBG_X509) + log_debug (" found via issuer and external lookup\n"); + } return rc; } @@ -748,7 +804,7 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, int gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next) { - int rc = 0; + int rc = 0; char *issuer = NULL; char *subject = NULL; KEYDB_HANDLE kh = keydb_new (0); @@ -756,7 +812,7 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next) *r_next = NULL; if (!kh) { - log_error (_("failed to allocated keyDB handle\n")); + log_error (_("failed to allocate keyDB handle\n")); rc = gpg_error (GPG_ERR_GENERAL); goto leave; } @@ -779,7 +835,7 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next) if (is_root_cert (start, issuer, subject)) { rc = -1; /* we are at the root */ - goto leave; + goto leave; } rc = find_up (ctrl, kh, start, issuer, 0); @@ -803,7 +859,7 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next) leave: xfree (issuer); xfree (subject); - keydb_release (kh); + keydb_release (kh); return rc; } @@ -850,20 +906,20 @@ is_root_cert (ksba_cert_t cert, const char *issuerdn, const char *subjectdn) that is the case this is a root certificate. */ ak_name_str = ksba_name_enum (ak_name, 0); if (ak_name_str - && !strcmp (ak_name_str, issuerdn) + && !strcmp (ak_name_str, issuerdn) && !cmp_simple_canon_sexp (ak_sn, serialno)) { result = 1; /* Right, CERT is self-signed. */ goto leave; - } - + } + /* Similar for the ak_keyid. */ if (ak_keyid && !ksba_cert_get_subj_key_id (cert, NULL, &subj_keyid) && !cmp_simple_canon_sexp (ak_keyid, subj_keyid)) { result = 1; /* Right, CERT is self-signed. */ goto leave; - } + } leave: @@ -872,7 +928,7 @@ is_root_cert (ksba_cert_t cert, const char *issuerdn, const char *subjectdn) ksba_name_release (ak_name); ksba_free (ak_sn); ksba_free (serialno); - return result; + return result; } @@ -896,7 +952,7 @@ gpgsm_is_root_cert (ksba_cert_t cert) /* This is a helper for gpgsm_validate_chain. */ -static gpg_error_t +static gpg_error_t is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, ksba_cert_t subject_cert, ksba_cert_t issuer_cert, int *any_revoked, int *any_no_crl, int *any_crl_too_old) @@ -905,13 +961,13 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, if (opt.no_crl_check && !ctrl->use_ocsp) { - audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, + audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, gpg_error (GPG_ERR_NOT_ENABLED)); return 0; } err = gpgsm_dirmngr_isvalid (ctrl, - subject_cert, issuer_cert, + subject_cert, issuer_cert, force_ocsp? 2 : !!ctrl->use_ocsp); audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, err); @@ -948,7 +1004,7 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, "\"dirmngr\" is properly installed\n")); *any_crl_too_old = 1; break; - + default: do_list (1, lm, fp, _("checking the CRL failed: %s"), gpg_strerror (err)); @@ -963,7 +1019,7 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, SUBJECT_CERT. The caller needs to pass EXPTIME which will be updated to the nearest expiration time seen. A DEPTH of 0 indicates the target certifciate, -1 the final root certificate and other - values intermediate certificates. */ + values intermediate certificates. */ static gpg_error_t check_validity_period (ksba_isotime_t current_time, ksba_cert_t subject_cert, @@ -993,7 +1049,7 @@ check_validity_period (ksba_isotime_t current_time, if (*not_before && strcmp (current_time, not_before) < 0 ) { - do_list (1, listmode, listfp, + do_list (1, listmode, listfp, depth == 0 ? _("certificate not yet valid") : depth == -1 ? _("root certificate not yet valid") : /* other */ _("intermediate certificate not yet valid")); @@ -1004,8 +1060,8 @@ check_validity_period (ksba_isotime_t current_time, log_printf (")\n"); } return gpg_error (GPG_ERR_CERT_TOO_YOUNG); - } - + } + if (*not_after && strcmp (current_time, not_after) > 0 ) { do_list (opt.ignore_expiration?0:1, listmode, listfp, @@ -1022,8 +1078,8 @@ check_validity_period (ksba_isotime_t current_time, log_info ("WARNING: ignoring expiration\n"); else return gpg_error (GPG_ERR_CERT_EXPIRED); - } - + } + return 0; } @@ -1070,7 +1126,7 @@ check_validity_period_cm (ksba_isotime_t current_time, log_printf (")\n"); return gpg_error (GPG_ERR_BAD_CERT); } - + if (!*exptime) gnupg_copy_time (exptime, not_after); else if (strcmp (not_after, exptime) < 0 ) @@ -1078,7 +1134,7 @@ check_validity_period_cm (ksba_isotime_t current_time, if (strcmp (current_time, not_before) < 0 ) { - do_list (1, listmode, listfp, + do_list (1, listmode, listfp, depth == 0 ? _("certificate not yet valid") : depth == -1 ? _("root certificate not yet valid") : /* other */ _("intermediate certificate not yet valid")); @@ -1089,16 +1145,16 @@ check_validity_period_cm (ksba_isotime_t current_time, log_printf (")\n"); } return gpg_error (GPG_ERR_CERT_TOO_YOUNG); - } + } if (*check_time - && (strcmp (check_time, not_before) < 0 + && (strcmp (check_time, not_before) < 0 || strcmp (check_time, not_after) > 0)) { /* Note that we don't need a case for the root certificate because its own consitency has already been checked. */ do_list(opt.ignore_expiration?0:1, listmode, listfp, - depth == 0 ? + depth == 0 ? _("signature not created during lifetime of certificate") : depth == 1 ? _("certificate not created during lifetime of issuer") : @@ -1135,7 +1191,7 @@ check_validity_period_cm (ksba_isotime_t current_time, static int ask_marktrusted (ctrl_t ctrl, ksba_cert_t cert, int listmode) { - static int no_more_questions; + static int no_more_questions; int rc; char *fpr; int success = 0; @@ -1143,7 +1199,7 @@ ask_marktrusted (ctrl_t ctrl, ksba_cert_t cert, int listmode) fpr = gpgsm_get_fingerprint_string (cert, GCRY_MD_SHA1); log_info (_("fingerprint=%s\n"), fpr? fpr : "?"); xfree (fpr); - + if (no_more_questions) rc = gpg_error (GPG_ERR_NOT_SUPPORTED); else @@ -1225,7 +1281,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, { if (!strcmp (checktime_arg, "19700101T000000")) { - do_list (1, listmode, listfp, + do_list (1, listmode, listfp, _("WARNING: creation time of signature not known - " "assuming current time")); gnupg_copy_time (check_time, current_time); @@ -1249,7 +1305,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, kh = keydb_new (0); if (!kh) { - log_error (_("failed to allocated keyDB handle\n")); + log_error (_("failed to allocate keyDB handle\n")); rc = gpg_error (GPG_ERR_GENERAL); goto leave; } @@ -1314,7 +1370,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, if (has_validation_model_chain (subject_cert, listmode, listfp)) rootca_flags->chain_model = 1; } - + /* Check the validity period. */ if ( (flags & VALIDATE_FLAG_CHAIN_MODEL) ) @@ -1332,7 +1388,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, } else if (rc) goto leave; - + /* Assert that we understand all critical extensions. */ rc = unknown_criticals (subject_cert, listmode, listfp); @@ -1355,7 +1411,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, /* If this is the root certificate we are at the end of the chain. */ if (is_root) - { + { if (!istrusted_rc) ; /* No need to check the certificate for a trusted one. */ else if (gpgsm_check_cert_sig (subject_cert, subject_cert) ) @@ -1378,8 +1434,8 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, if (rc) goto leave; } - - + + /* Set the flag for qualified signatures. This flag is deduced from a list of root certificates allowed for qualified signatures. */ @@ -1388,15 +1444,15 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, gpg_error_t err; size_t buflen; char buf[1]; - - if (!ksba_cert_get_user_data (cert, "is_qualified", + + if (!ksba_cert_get_user_data (cert, "is_qualified", &buf, sizeof (buf), &buflen) && buflen) { /* We already checked this for this certificate, thus we simply take it from the user data. */ is_qualified = !!*buf; - } + } else { /* Need to consult the list of root certificates for @@ -1419,7 +1475,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, "is_qualified", buf, 1); if (err) log_error ("set_user_data(is_qualified) failed: %s\n", - gpg_strerror (err)); + gpg_strerror (err)); } } } @@ -1431,7 +1487,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, ; else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED) { - do_list (0, listmode, listfp, + do_list (0, listmode, listfp, _("root certificate is not marked trusted")); /* If we already figured out that the certificate is expired it does not make much sense to ask the user @@ -1443,12 +1499,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, && ask_marktrusted (ctrl, subject_cert, listmode) ) rc = 0; } - else + else { log_error (_("checking the trust list failed: %s\n"), gpg_strerror (rc)); } - + if (rc) goto leave; @@ -1456,9 +1512,9 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, if ((flags & VALIDATE_FLAG_NO_DIRMNGR)) ; else if (opt.no_trusted_cert_crl_check || rootca_flags->relax) - ; + ; else - rc = is_cert_still_valid (ctrl, + rc = is_cert_still_valid (ctrl, (flags & VALIDATE_FLAG_CHAIN_MODEL), listmode, listfp, subject_cert, subject_cert, @@ -1470,7 +1526,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, break; /* Okay: a self-signed certicate is an end-point. */ } /* End is_root. */ - + /* Take care that the chain does not get too long. */ if ((depth+1) > maxdepth) { @@ -1552,7 +1608,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, do_list (0, listmode, listfp, _("found another possible matching " "CA certificate - trying again")); - ksba_cert_release (issuer_cert); + ksba_cert_release (issuer_cert); issuer_cert = tmp_cert; goto try_another_cert; } @@ -1629,9 +1685,9 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, rc = 0; else if (is_root && (opt.no_trusted_cert_crl_check || (!istrusted_rc && rootca_flags->relax))) - rc = 0; + rc = 0; else - rc = is_cert_still_valid (ctrl, + rc = is_cert_still_valid (ctrl, (flags & VALIDATE_FLAG_CHAIN_MODEL), listmode, listfp, subject_cert, issuer_cert, @@ -1690,7 +1746,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, else if (any_no_policy_match) rc = gpg_error (GPG_ERR_NO_POLICY_MATCH); } - + leave: /* If we have traversed a complete chain up to the root we will reset the ephemeral flag for all these certificates. This is done @@ -1700,7 +1756,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, { gpg_error_t err; chain_item_t ci; - + for (ci = chain; ci; ci = ci->next) { /* Note that it is possible for the last certificate in the @@ -1714,7 +1770,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, ; else if (err) log_error ("clearing ephemeral flag failed: %s\n", - gpg_strerror (err)); + gpg_strerror (err)); } } @@ -1729,14 +1785,14 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, char buf[1]; buf[0] = !!is_qualified; - + for (ci = chain; ci; ci = ci->next) { err = ksba_cert_set_user_data (ci->cert, "is_qualified", buf, 1); if (err) { log_error ("set_user_data(is_qualified) failed: %s\n", - gpg_strerror (err)); + gpg_strerror (err)); if (!rc) rc = err; } @@ -1762,7 +1818,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, gnupg_copy_time (r_exptime, exptime); xfree (issuer); xfree (subject); - keydb_release (kh); + keydb_release (kh); while (chain) { chain_item_t ci_next = chain->next; @@ -1807,7 +1863,7 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime, *retflags = (flags & VALIDATE_FLAG_CHAIN_MODEL); memset (&rootca_flags, 0, sizeof rootca_flags); - rc = do_validate_chain (ctrl, cert, checktime, + rc = do_validate_chain (ctrl, cert, checktime, r_exptime, listmode, listfp, flags, &rootca_flags); if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED @@ -1816,17 +1872,17 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime, { do_list (0, listmode, listfp, _("switching to chain model")); rc = do_validate_chain (ctrl, cert, checktime, - r_exptime, listmode, listfp, + r_exptime, listmode, listfp, (flags |= VALIDATE_FLAG_CHAIN_MODEL), &rootca_flags); *retflags |= VALIDATE_FLAG_CHAIN_MODEL; } if (opt.verbose) - do_list (0, listmode, listfp, _("validation model used: %s"), + do_list (0, listmode, listfp, _("validation model used: %s"), (*retflags & VALIDATE_FLAG_CHAIN_MODEL)? _("chain"):_("shell")); - + return rc; } @@ -1843,7 +1899,7 @@ gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert) char *subject = NULL; KEYDB_HANDLE kh; ksba_cert_t issuer_cert = NULL; - + if (opt.no_chain_validation) { log_info ("WARNING: bypassing basic certificate checks\n"); @@ -1853,7 +1909,7 @@ gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert) kh = keydb_new (0); if (!kh) { - log_error (_("failed to allocated keyDB handle\n")); + log_error (_("failed to allocate keyDB handle\n")); rc = gpg_error (GPG_ERR_GENERAL); goto leave; } @@ -1900,7 +1956,7 @@ gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert) rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT); goto leave; } - + ksba_cert_release (issuer_cert); issuer_cert = NULL; rc = keydb_get_cert (kh, &issuer_cert); if (rc) @@ -1930,7 +1986,7 @@ gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert) leave: xfree (issuer); xfree (subject); - keydb_release (kh); + keydb_release (kh); ksba_cert_release (issuer_cert); return rc; } @@ -1941,7 +1997,7 @@ gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert) authority for qualified signature. They do not set the basicConstraints and thus we need this workaround. It works by looking up the root certificate and checking whether that one is - listed as a qualified certificate for Germany. + listed as a qualified certificate for Germany. We also try to cache this data but as long as don't keep a reference to the certificate this won't be used. @@ -1967,7 +2023,7 @@ get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen) chainlen = &dummy_chainlen; *chainlen = 0; - err = ksba_cert_get_user_data (cert, "regtp_ca_chainlen", + err = ksba_cert_get_user_data (cert, "regtp_ca_chainlen", &buf, sizeof (buf), &buflen); if (!err) { @@ -2024,7 +2080,7 @@ get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen) "\x01\x00", 2); if (err) log_error ("ksba_set_user_data(%s) failed: %s\n", - "regtp_ca_chainlen", gpg_strerror (err)); + "regtp_ca_chainlen", gpg_strerror (err)); for (i=0; i < depth; i++) ksba_cert_release (array[i]); *chainlen = (depth>1? 0:1); @@ -2033,11 +2089,11 @@ get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen) leave: /* Nothing special with this certificate. Mark the target - certificate anyway to avoid duplicate lookups. */ + certificate anyway to avoid duplicate lookups. */ err = ksba_cert_set_user_data (cert, "regtp_ca_chainlen", "", 1); if (err) log_error ("ksba_set_user_data(%s) failed: %s\n", - "regtp_ca_chainlen", gpg_strerror (err)); + "regtp_ca_chainlen", gpg_strerror (err)); for (i=0; i < depth; i++) ksba_cert_release (array[i]); return 0; diff --git a/sm/certcheck.c b/sm/certcheck.c index 51a809b..e2e4a4b 100644 --- a/sm/certcheck.c +++ b/sm/certcheck.c @@ -22,7 +22,7 @@ #include #include #include -#include +#include #include #include @@ -106,7 +106,7 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits, { log_error (_("a %u bit hash is not valid for a %u bit %s key\n"), (unsigned int)nframe*8, - gcry_pk_get_nbits (pkey), + gcry_pk_get_nbits (pkey), gcry_pk_algo_name (pkalgo)); /* FIXME: we need to check the requirements for ECDSA. */ if (nframe < 20 || pkalgo == GCRY_PK_DSA ) @@ -139,16 +139,16 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits, log_error ("no object identifier for algo %d\n", algo); return gpg_error (GPG_ERR_INTERNAL); } - + len = gcry_md_get_algo_dlen (algo); - + if ( len + asnlen + 4 > nframe ) { log_error ("can't encode a %d bit MD into a %d bits frame\n", (int)(len*8), (int)nbits); return gpg_error (GPG_ERR_INTERNAL); } - + /* We encode the MD in this way: * * 0 A PAD(n bytes) 0 ASN(asnlen bytes) MD(len bytes) @@ -177,7 +177,7 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits, log_printf (" %02X", frame[j]); log_printf ("\n"); } - + gcry_mpi_scan (r_val, GCRYMPI_FMT_USG, frame, n, &nframe); xfree (frame); return 0; @@ -251,7 +251,7 @@ gpgsm_check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert) return rc; } if (DBG_HASHING) - gcry_md_start_debug (md, "hash.cert"); + gcry_md_debug (md, "hash.cert"); rc = ksba_cert_hash (cert, 1, HASH_FNC, md); if (rc) @@ -324,7 +324,7 @@ gpgsm_check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert) BUG (); gcry_mpi_release (frame); - + rc = gcry_pk_verify (s_sig, s_hash, s_pkey); if (DBG_X509) log_debug ("gcry_pk_verify: %s\n", gpg_strerror (rc)); @@ -400,7 +400,7 @@ gpgsm_check_cms_signature (ksba_cert_t cert, ksba_const_sexp_t sigval, if ( gcry_sexp_build (&s_hash, NULL, "%m", frame) ) BUG (); gcry_mpi_release (frame); - + rc = gcry_pk_verify (s_sig, s_hash, s_pkey); if (DBG_X509) log_debug ("gcry_pk_verify: %s\n", gpg_strerror (rc)); @@ -427,7 +427,7 @@ gpgsm_create_cms_signature (ctrl_t ctrl, ksba_cert_t cert, desc = gpgsm_format_keydesc (cert); - rc = gpgsm_agent_pksign (ctrl, grip, desc, gcry_md_read(md, mdalgo), + rc = gpgsm_agent_pksign (ctrl, grip, desc, gcry_md_read(md, mdalgo), gcry_md_get_algo_dlen (mdalgo), mdalgo, r_sigval, &siglen); xfree (desc); diff --git a/sm/certlist.c b/sm/certlist.c index 4137437..bfacaa2 100644 --- a/sm/certlist.c +++ b/sm/certlist.c @@ -139,7 +139,7 @@ cert_usage_p (ksba_cert_t cert, int mode) { if ((use & (KSBA_KEYUSAGE_KEY_CERT_SIGN))) return 0; - log_info (_("certificate should have not " + log_info (_("certificate should not have " "been used for certification\n")); return gpg_error (GPG_ERR_WRONG_KEY_USAGE); } @@ -151,7 +151,7 @@ cert_usage_p (ksba_cert_t cert, int mode) || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN |KSBA_KEYUSAGE_CRL_SIGN)))) return 0; - log_info (_("certificate should have not " + log_info (_("certificate should not have " "been used for OCSP response signing\n")); return gpg_error (GPG_ERR_WRONG_KEY_USAGE); } @@ -162,8 +162,8 @@ cert_usage_p (ksba_cert_t cert, int mode) ) return 0; - log_info (mode==3? _("certificate should have not been used for encryption\n"): - mode==2? _("certificate should have not been used for signing\n"): + log_info (mode==3? _("certificate should not have been used for encryption\n"): + mode==2? _("certificate should not have been used for signing\n"): mode==1? _("certificate is not usable for encryption\n"): _("certificate is not usable for signing\n")); return gpg_error (GPG_ERR_WRONG_KEY_USAGE); diff --git a/sm/certreqgen.c b/sm/certreqgen.c index 49b2b92..c3f3165 100644 --- a/sm/certreqgen.c +++ b/sm/certreqgen.c @@ -74,9 +74,9 @@ The format of the native parameter file is follows: This is the DN name of the subject in rfc2253 format. Name-Email: The is an email address for the altSubjectName - Name-DNS: + Name-DNS: The is an DNS name for the altSubjectName - Name-URI: + Name-URI: The is an URI for the altSubjectName Here is an example: @@ -98,7 +98,7 @@ EOF #include #include #include -#include +#include #include #include @@ -126,7 +126,7 @@ struct para_data_s { int lnr; enum para_name key; union { - unsigned int usage; + unsigned int usage; char value[1]; } u; }; @@ -156,7 +156,7 @@ static void release_parameter_list (struct para_data_s *r) { struct para_data_s *r2; - + for (; r ; r = r2) { r2 = r->next; @@ -168,7 +168,7 @@ static struct para_data_s * get_parameter (struct para_data_s *para, enum para_name key, int seq) { struct para_data_s *r; - + for (r = para; r ; r = r->next) if ( r->key == key && !seq--) return r; @@ -190,7 +190,7 @@ get_parameter_algo (struct para_data_s *para, enum para_name key) return -1; if (digitp (r->u.value)) return atoi( r->u.value ); - return gcry_pk_map_name (r->u.value); + return gcry_pk_map_name (r->u.value); } /* Parse the usage parameter. Returns 0 on success. Note that we @@ -203,10 +203,10 @@ parse_parameter_usage (struct para_data_s *para, enum para_name key) struct para_data_s *r = get_parameter (para, key, 0); char *p, *pn; unsigned int use; - + if (!r) return 0; /* none (this is an optional parameter)*/ - + use = 0; pn = r->u.value; while ( (p = strsep (&pn, " \t,")) ) @@ -474,7 +474,7 @@ proc_parameters (ctrl_t ctrl, log_error (_("line %d: invalid algorithm\n"), r->lnr); return gpg_error (GPG_ERR_INV_PARAMETER); } - + /* Check the keylength. */ if (!get_parameter (para, pKEYLENGTH, 0)) nbits = 2048; @@ -489,7 +489,7 @@ proc_parameters (ctrl_t ctrl, xfree (cardkeyid); return gpg_error (GPG_ERR_INV_PARAMETER); } - + /* Check the usage. */ if (parse_parameter_usage (para, pKEYUSAGE)) { @@ -523,7 +523,7 @@ proc_parameters (ctrl_t ctrl, /* Check that the optional email address is okay. */ for (seq=0; (s=get_parameter_value (para, pNAMEEMAIL, seq)); seq++) - { + { if (has_invalid_email_chars (s) || *s == '@' || s[strlen(s)-1] == '@' @@ -564,7 +564,7 @@ proc_parameters (ctrl_t ctrl, else /* Generate new key. */ { sprintf (numbuf, "%u", nbits); - snprintf ((char*)keyparms, DIM (keyparms)-1, + snprintf ((char*)keyparms, DIM (keyparms)-1, "(6:genkey(3:rsa(5:nbits%d:%s)))", (int)strlen (numbuf), numbuf); rc = gpgsm_agent_genkey (ctrl, keyparms, &public); @@ -589,8 +589,8 @@ proc_parameters (ctrl_t ctrl, /* Parameters are checked, the key pair has been created. Now generate the request and write it out */ static int -create_request (ctrl_t ctrl, - struct para_data_s *para, +create_request (ctrl_t ctrl, + struct para_data_s *para, const char *carddirect, ksba_const_sexp_t public, struct reqgen_ctrl_s *outctrl) @@ -618,11 +618,11 @@ create_request (ctrl_t ctrl, goto leave; } if (DBG_HASHING) - gcry_md_start_debug (md, "cr.cri"); + gcry_md_debug (md, "cr.cri"); ksba_certreq_set_hash_function (cr, HASH_FNC, md); ksba_certreq_set_writer (cr, outctrl->writer); - + err = ksba_certreq_add_subject (cr, get_parameter_value (para, pNAMEDN, 0)); if (err) { @@ -718,14 +718,14 @@ create_request (ctrl_t ctrl, goto leave; } - + use = get_parameter_uint (para, pKEYUSAGE); if (use == GCRY_PK_USAGE_SIGN) { /* For signing only we encode the bits: KSBA_KEYUSAGE_DIGITAL_SIGNATURE KSBA_KEYUSAGE_NON_REPUDIATION */ - err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1, + err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1, "\x03\x02\x06\xC0", 4); } else if (use == GCRY_PK_USAGE_ENCR) @@ -733,7 +733,7 @@ create_request (ctrl_t ctrl, /* For encrypt only we encode the bits: KSBA_KEYUSAGE_KEY_ENCIPHERMENT KSBA_KEYUSAGE_DATA_ENCIPHERMENT */ - err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1, + err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1, "\x03\x02\x04\x30", 4); } else @@ -746,7 +746,7 @@ create_request (ctrl_t ctrl, goto leave; } - + do { err = ksba_certreq_build (cr, &stopreason); @@ -788,11 +788,11 @@ create_request (ctrl_t ctrl, gcry_sexp_release (s_pkey); bin2hex (grip, 20, hexgrip); - log_info ("about to sign CSR for key: &%s\n", hexgrip); + log_info ("about to sign CSR for key: &%s\n", hexgrip); if (carddirect) rc = gpgsm_scd_pksign (ctrl, carddirect, NULL, - gcry_md_read(md, GCRY_MD_SHA1), + gcry_md_read(md, GCRY_MD_SHA1), gcry_md_get_algo_dlen (GCRY_MD_SHA1), GCRY_MD_SHA1, &sigval, &siglen); @@ -802,13 +802,13 @@ create_request (ctrl_t ctrl, char *desc; orig_codeset = i18n_switchto_utf8 (); - desc = percent_plus_escape + desc = percent_plus_escape (_("To complete this certificate request please enter" " the passphrase for the key you just created once" " more.\n")); i18n_switchback (orig_codeset); rc = gpgsm_agent_pksign (ctrl, hexgrip, desc, - gcry_md_read(md, GCRY_MD_SHA1), + gcry_md_read(md, GCRY_MD_SHA1), gcry_md_get_algo_dlen (GCRY_MD_SHA1), GCRY_MD_SHA1, &sigval, &siglen); @@ -819,7 +819,7 @@ create_request (ctrl_t ctrl, log_error ("signing failed: %s\n", gpg_strerror (rc)); goto leave; } - + err = ksba_certreq_set_sig_val (cr, sigval); xfree (sigval); if (err) @@ -831,13 +831,13 @@ create_request (ctrl_t ctrl, } } } - while (stopreason != KSBA_SR_READY); + while (stopreason != KSBA_SR_READY); leave: gcry_md_close (md); ksba_certreq_release (cr); - return rc; + return rc; } @@ -868,7 +868,7 @@ gpgsm_genkey (ctrl_t ctrl, estream_t in_stream, FILE *out_fp) } rc = gpgsm_finish_writer (b64writer); - if (rc) + if (rc) { log_error ("write failed: %s\n", gpg_strerror (rc)); goto leave; diff --git a/sm/decrypt.c b/sm/decrypt.c index de02551..841fbd6 100644 --- a/sm/decrypt.c +++ b/sm/decrypt.c @@ -258,7 +258,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, FILE *out_fp) kh = keydb_new (0); if (!kh) { - log_error (_("failed to allocated keyDB handle\n")); + log_error (_("failed to allocate keyDB handle\n")); rc = gpg_error (GPG_ERR_GENERAL); goto leave; } diff --git a/sm/encrypt.c b/sm/encrypt.c index a526a64..42a438a 100644 --- a/sm/encrypt.c +++ b/sm/encrypt.c @@ -332,7 +332,7 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, FILE *out_fp) kh = keydb_new (0); if (!kh) { - log_error (_("failed to allocated keyDB handle\n")); + log_error (_("failed to allocate keyDB handle\n")); rc = gpg_error (GPG_ERR_GENERAL); goto leave; } diff --git a/sm/gpgsm-w32info.rc b/sm/gpgsm-w32info.rc new file mode 100644 index 0000000..d813b0d --- /dev/null +++ b/sm/gpgsm-w32info.rc @@ -0,0 +1,50 @@ +/* gpgsm-w32info.rc -*- c -*- + * Copyright (C) 2013 g10 Code GmbH + * + * This file is free software; as a special exception the author gives + * unlimited permission to copy and/or distribute it, with or without + * modifications, as long as this notice is preserved. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY, to the extent permitted by law; without even the + * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "afxres.h" +#include "../common/w32info-rc.h" + +1 ICON "../common/gnupg.ico" + +1 VERSIONINFO + FILEVERSION W32INFO_VI_FILEVERSION + PRODUCTVERSION W32INFO_VI_PRODUCTVERSION + FILEFLAGSMASK 0x3fL +#ifdef _DEBUG + FILEFLAGS 0x01L /* VS_FF_DEBUG (0x1)*/ +#else + FILEFLAGS 0x00L +#endif + FILEOS 0x40004L /* VOS_NT (0x40000) | VOS__WINDOWS32 (0x4) */ + FILETYPE 0x1L /* VFT_APP (0x1) */ + FILESUBTYPE 0x0L /* VFT2_UNKNOWN */ + BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904b0" /* US English (0409), Unicode (04b0) */ + BEGIN + VALUE "FileDescription", L"GnuPG\x2019s X.509/CMS tool\0" + VALUE "InternalName", "gpgsm\0" + VALUE "OriginalFilename", "gpgsm.exe\0" + VALUE "ProductName", W32INFO_PRODUCTNAME + VALUE "ProductVersion", W32INFO_PRODUCTVERSION + VALUE "CompanyName", W32INFO_COMPANYNAME + VALUE "FileVersion", W32INFO_FILEVERSION + VALUE "LegalCopyright", W32INFO_LEGALCOPYRIGHT + VALUE "Comments", W32INFO_COMMENTS + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x409, 0x4b0 + END + END diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 484ce9d..97ec4bb 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -523,8 +523,8 @@ my_strusage( int level ) break; case 41: p = _("Syntax: gpgsm [options] [files]\n" - "sign, check, encrypt or decrypt using the S/MIME protocol\n" - "default operation depends on the input data\n"); + "Sign, check, encrypt or decrypt using the S/MIME protocol\n" + "Default operation depends on the input data\n"); break; case 20: @@ -951,7 +951,10 @@ main ( int argc, char **argv) default_config = 0; } else if (pargs.r_opt == oNoOptions) - default_config = 0; /* --no-options */ + { + default_config = 0; /* --no-options */ + opt.no_homedir_creation = 1; + } else if (pargs.r_opt == oHomedir) opt.homedir = pargs.r.ret_str; else if (pargs.r_opt == aCallProtectTool) @@ -1246,7 +1249,7 @@ main ( int argc, char **argv) goto next_pass; } break; - case oNoOptions: break; /* no-options */ + case oNoOptions: opt.no_homedir_creation = 1; break; /* no-options */ case oHomedir: opt.homedir = pargs.r.ret_str; break; case oAgentProgram: opt.agent_program = pargs.r.ret_str; break; diff --git a/sm/gpgsm.h b/sm/gpgsm.h index c4a261b..25a2e5b 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -50,7 +50,7 @@ struct keyserver_spec /* A large struct named "opt" to keep global flags. */ -struct +struct { unsigned int debug; /* debug flags (DBG_foo_VALUE) */ int verbose; /* verbosity level */ @@ -59,10 +59,11 @@ struct int answer_yes; /* assume yes on most questions */ int answer_no; /* assume no on most questions */ int dry_run; /* don't change any persistent data */ + int no_homedir_creation; const char *homedir; /* Configuration directory name */ const char *config_filename; /* Name of the used config file. */ - const char *agent_program; + const char *agent_program; session_env_t session_env; char *lc_ctype; @@ -75,7 +76,7 @@ struct char *outfile; /* name of output file */ int with_key_data;/* include raw key in the column delimted output */ - + int fingerprint; /* list fingerprints in all key listings */ int with_md5_fingerprint; /* Also print an MD5 fingerprint for @@ -170,11 +171,11 @@ struct server_control_s int no_server; /* We are not running under server control */ int status_fd; /* Only for non-server mode */ struct server_local_s *server_local; - + audit_ctx_t audit; /* NULL or a context for the audit subsystem. */ int agent_seen; /* Flag indicating that the gpg-agent has been accessed. */ - + int with_colons; /* Use column delimited output format */ int with_chain; /* Include the certifying certs in a listing */ int with_validation;/* Validate each key while listing. */ @@ -203,7 +204,7 @@ typedef struct base64_context_s *Base64Context; /* An object to keep a list of certificates. */ -struct certlist_s +struct certlist_s { struct certlist_s *next; ksba_cert_t cert; @@ -386,7 +387,7 @@ int gpgsm_scd_pksign (ctrl_t ctrl, const char *keyid, const char *desc, unsigned char *digest, size_t digestlen, int digestalgo, unsigned char **r_buf, size_t *r_buflen); int gpgsm_agent_pkdecrypt (ctrl_t ctrl, const char *keygrip, const char *desc, - ksba_const_sexp_t ciphertext, + ksba_const_sexp_t ciphertext, char **r_buf, size_t *r_buflen); int gpgsm_agent_genkey (ctrl_t ctrl, ksba_const_sexp_t keyparms, ksba_sexp_t *r_pubkey); diff --git a/sm/keydb.c b/sm/keydb.c index 37f791e..4fc5e8c 100644 --- a/sm/keydb.c +++ b/sm/keydb.c @@ -1,5 +1,6 @@ /* keydb.c - key database dispatcher * Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc. + * Copyright (C) 2014 g10 Code GmbH * * This file is part of GnuPG. * @@ -25,6 +26,7 @@ #include #include #include +#include #include #include "gpgsm.h" @@ -32,6 +34,11 @@ #include "keydb.h" #include "i18n.h" +#ifdef MKDIR_TAKES_ONE_ARG +#undef mkdir +#define mkdir(a,b) mkdir(a) +#endif + static int active_handles; typedef enum { @@ -56,6 +63,7 @@ static int used_resources; struct keydb_handle { int locked; int found; + int saved_found; int current; int is_ephemeral; int used; /* items in active */ @@ -67,11 +75,173 @@ static int lock_all (KEYDB_HANDLE hd); static void unlock_all (KEYDB_HANDLE hd); +static void +try_make_homedir (const char *fname) +{ + const char *defhome = standard_homedir (); + + /* Create the directory only if the supplied directory name is the + same as the default one. This way we avoid to create arbitrary + directories when a non-default home directory is used. To cope + with HOME, we do compare only the suffix if we see that the + default homedir does start with a tilde. */ + if ( opt.dry_run || opt.no_homedir_creation ) + return; + + if ( +#ifdef HAVE_W32_SYSTEM + ( !compare_filenames (fname, defhome) ) +#else + ( *defhome == '~' + && (strlen(fname) >= strlen (defhome+1) + && !strcmp(fname+strlen(fname)-strlen(defhome+1), defhome+1 ) )) + || (*defhome != '~' && !compare_filenames( fname, defhome ) ) +#endif + ) + { + if ( mkdir (fname, S_IRUSR|S_IWUSR|S_IXUSR) ) + log_info (_("can't create directory `%s': %s\n"), + fname, strerror(errno) ); + else if (!opt.quiet ) + log_info (_("directory `%s' created\n"), fname); + } +} + + +/* Handle the creation of a keybox if it does not yet exist. Take + into acount that other processes might have the keybox already + locked. This lock check does not work if the directory itself is + not yet available. If R_CREATED is not NULL it will be set to true + if the function created a new keybox. */ +static int +maybe_create_keybox (char *filename, int force, int *r_created) +{ + DOTLOCK lockhd = NULL; + FILE *fp; + int rc; + mode_t oldmask; + char *last_slash_in_filename; + int save_slash; + + if (r_created) + *r_created = 0; + + /* A quick test whether the filename already exists. */ + if (!access (filename, F_OK)) + return 0; + + /* If we don't want to create a new file at all, there is no need to + go any further - bail out right here. */ + if (!force) + return gpg_error (GPG_ERR_ENOENT); + + /* First of all we try to create the home directory. Note, that we + don't do any locking here because any sane application of gpg + would create the home directory by itself and not rely on gpg's + tricky auto-creation which is anyway only done for some home + directory name patterns. */ + last_slash_in_filename = strrchr (filename, DIRSEP_C); +#if HAVE_W32_SYSTEM + { + /* Windows may either have a slash or a backslash. Take care of it. */ + char *p = strrchr (filename, '/'); + if (!last_slash_in_filename || p > last_slash_in_filename) + last_slash_in_filename = p; + } +#endif /*HAVE_W32_SYSTEM*/ + if (!last_slash_in_filename) + return gpg_error (GPG_ERR_ENOENT); /* No slash at all - should + not happen though. */ + save_slash = *last_slash_in_filename; + *last_slash_in_filename = 0; + if (access(filename, F_OK)) + { + static int tried; + + if (!tried) + { + tried = 1; + try_make_homedir (filename); + } + if (access (filename, F_OK)) + { + rc = gpg_error_from_syserror (); + *last_slash_in_filename = save_slash; + goto leave; + } + } + *last_slash_in_filename = save_slash; + + /* To avoid races with other instances of gpg trying to create or + update the keybox (it is removed during an update for a short + time), we do the next stuff in a locked state. */ + lockhd = create_dotlock (filename); + if (!lockhd) + { + /* A reason for this to fail is that the directory is not + writable. However, this whole locking stuff does not make + sense if this is the case. An empty non-writable directory + with no keyring is not really useful at all. */ + if (opt.verbose) + log_info ("can't allocate lock for `%s'\n", filename ); + + if (!force) + return gpg_error (GPG_ERR_ENOENT); + else + return gpg_error (GPG_ERR_GENERAL); + } + + if ( make_dotlock (lockhd, -1) ) + { + /* This is something bad. Probably a stale lockfile. */ + log_info ("can't lock `%s'\n", filename); + rc = gpg_error (GPG_ERR_GENERAL); + goto leave; + } + + /* Now the real test while we are locked. */ + if (!access(filename, F_OK)) + { + rc = 0; /* Okay, we may access the file now. */ + goto leave; + } + + /* The file does not yet exist, create it now. */ + oldmask = umask (077); + fp = fopen (filename, "w"); + if (!fp) + { + rc = gpg_error_from_syserror (); + umask (oldmask); + log_error (_("error creating keybox `%s': %s\n"), + filename, gpg_strerror (rc)); + goto leave; + } + umask (oldmask); + + if (!opt.quiet) + log_info (_("keybox `%s' created\n"), filename); + if (r_created) + *r_created = 1; + + fclose (fp); + rc = 0; + + leave: + if (lockhd) + { + release_dotlock (lockhd); + destroy_dotlock (lockhd); + } + return rc; +} + + /* * Register a resource (which currently may only be a keybox file). * The first keybox which is added by this function is created if it * does not exist. If AUTO_CREATED is not NULL it will be set to true - * if the function has created a a new keybox. + * if the function has created a new keybox. */ int keydb_add_resource (const char *url, int force, int secret, int *auto_created) @@ -80,7 +250,6 @@ keydb_add_resource (const char *url, int force, int secret, int *auto_created) const char *resname = url; char *filename = NULL; int rc = 0; - FILE *fp; KeydbResourceType rt = KEYDB_RESOURCE_TYPE_NONE; if (auto_created) @@ -136,11 +305,11 @@ keydb_add_resource (const char *url, int force, int secret, int *auto_created) else rt = KEYDB_RESOURCE_TYPE_KEYBOX; } - else /* maybe empty: assume ring */ + else /* maybe empty: assume keybox */ rt = KEYDB_RESOURCE_TYPE_KEYBOX; fclose (fp2); } - else /* no file yet: create ring */ + else /* no file yet: create keybox */ rt = KEYDB_RESOURCE_TYPE_KEYBOX; } @@ -152,91 +321,46 @@ keydb_add_resource (const char *url, int force, int secret, int *auto_created) goto leave; case KEYDB_RESOURCE_TYPE_KEYBOX: - fp = fopen (filename, "rb"); - if (!fp && !force) - { - rc = gpg_error (gpg_err_code_from_errno (errno)); - goto leave; - } - - if (!fp) - { /* no file */ -#if 0 /* no autocreate of the homedirectory yet */ + rc = maybe_create_keybox (filename, force, auto_created); + if (rc) + goto leave; + /* Now register the file */ + { + void *token = keybox_register_file (filename, secret); + if (!token) + ; /* already registered - ignore it */ + else if (used_resources >= MAX_KEYDB_RESOURCES) + rc = gpg_error (GPG_ERR_RESOURCE_LIMIT); + else { - char *last_slash_in_filename; - - last_slash_in_filename = strrchr (filename, DIRSEP_C); - *last_slash_in_filename = 0; - if (access (filename, F_OK)) - { /* on the first time we try to create the default - homedir and in this case the process will be - terminated, so that on the next invocation can - read the options file in on startup */ - try_make_homedir (filename); - rc = gpg_error (GPG_ERR_FILE_OPEN_ERROR); - *last_slash_in_filename = DIRSEP_C; - goto leave; + all_resources[used_resources].type = rt; + all_resources[used_resources].u.kr = NULL; /* Not used here */ + all_resources[used_resources].token = token; + all_resources[used_resources].secret = secret; + + all_resources[used_resources].lockhandle + = create_dotlock (filename); + if (!all_resources[used_resources].lockhandle) + log_fatal ( _("can't create lock for `%s'\n"), filename); + + /* Do a compress run if needed and the file is not locked. */ + if (!make_dotlock (all_resources[used_resources].lockhandle, 0)) + { + KEYBOX_HANDLE kbxhd = keybox_new (token, secret); + + if (kbxhd) + { + keybox_compress (kbxhd); + keybox_release (kbxhd); + } + release_dotlock (all_resources[used_resources].lockhandle); } - *last_slash_in_filename = DIRSEP_C; - } -#endif - fp = fopen (filename, "w"); - if (!fp) - { - rc = gpg_error (gpg_err_code_from_errno (errno)); - log_error (_("error creating keybox `%s': %s\n"), - filename, strerror(errno)); - if (errno == ENOENT) - log_info (_("you may want to start the gpg-agent first\n")); - goto leave; - } - - if (!opt.quiet) - log_info (_("keybox `%s' created\n"), filename); - if (auto_created) - *auto_created = 1; - } - fclose (fp); - fp = NULL; - /* now register the file */ - { - - void *token = keybox_register_file (filename, secret); - if (!token) - ; /* already registered - ignore it */ - else if (used_resources >= MAX_KEYDB_RESOURCES) - rc = gpg_error (GPG_ERR_RESOURCE_LIMIT); - else - { - all_resources[used_resources].type = rt; - all_resources[used_resources].u.kr = NULL; /* Not used here */ - all_resources[used_resources].token = token; - all_resources[used_resources].secret = secret; - - all_resources[used_resources].lockhandle - = create_dotlock (filename); - if (!all_resources[used_resources].lockhandle) - log_fatal ( _("can't create lock for `%s'\n"), filename); - - /* Do a compress run if needed and the file is not locked. */ - if (!make_dotlock (all_resources[used_resources].lockhandle, 0)) - { - KEYBOX_HANDLE kbxhd = keybox_new (token, secret); - - if (kbxhd) - { - keybox_compress (kbxhd); - keybox_release (kbxhd); - } - release_dotlock (all_resources[used_resources].lockhandle); - } - - used_resources++; - } - } + used_resources++; + } + } + break; - break; default: log_error ("resource type of `%s' not supported\n", url); rc = gpg_error (GPG_ERR_NOT_SUPPORTED); @@ -265,6 +389,7 @@ keydb_new (int secret) hd = xcalloc (1, sizeof *hd); hd->found = -1; + hd->saved_found = -1; assert (used_resources <= MAX_KEYDB_RESOURCES); for (i=j=0; i < used_resources; i++) @@ -476,6 +601,58 @@ unlock_all (KEYDB_HANDLE hd) hd->locked = 0; } + + +/* Push the last found state if any. */ +void +keydb_push_found_state (KEYDB_HANDLE hd) +{ + if (!hd) + return; + + if (hd->found < 0 || hd->found >= hd->used) + { + hd->saved_found = -1; + return; + } + + switch (hd->active[hd->found].type) + { + case KEYDB_RESOURCE_TYPE_NONE: + break; + case KEYDB_RESOURCE_TYPE_KEYBOX: + keybox_push_found_state (hd->active[hd->found].u.kr); + break; + } + + hd->saved_found = hd->found; + hd->found = -1; +} + + +/* Pop the last found state. */ +void +keydb_pop_found_state (KEYDB_HANDLE hd) +{ + if (!hd) + return; + + hd->found = hd->saved_found; + hd->saved_found = -1; + if (hd->found < 0 || hd->found >= hd->used) + return; + + switch (hd->active[hd->found].type) + { + case KEYDB_RESOURCE_TYPE_NONE: + break; + case KEYDB_RESOURCE_TYPE_KEYBOX: + keybox_pop_found_state (hd->active[hd->found].u.kr); + break; + } +} + + #if 0 /* diff --git a/sm/keydb.h b/sm/keydb.h index a440c50..f51d79d 100644 --- a/sm/keydb.h +++ b/sm/keydb.h @@ -49,6 +49,8 @@ gpg_error_t keydb_get_flags (KEYDB_HANDLE hd, int which, int idx, unsigned int *value); gpg_error_t keydb_set_flags (KEYDB_HANDLE hd, int which, int idx, unsigned int value); +void keydb_push_found_state (KEYDB_HANDLE hd); +void keydb_pop_found_state (KEYDB_HANDLE hd); int keydb_get_cert (KEYDB_HANDLE hd, ksba_cert_t *r_cert); int keydb_insert_cert (KEYDB_HANDLE hd, ksba_cert_t cert); int keydb_update_cert (KEYDB_HANDLE hd, ksba_cert_t cert); diff --git a/sm/server.c b/sm/server.c index fcf47a7..6ba5e58 100644 --- a/sm/server.c +++ b/sm/server.c @@ -1050,7 +1050,7 @@ cmd_getauditlog (assuan_context_t ctx, char *line) if (out_fd == -1) return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL); - out_stream = es_fdopen_nc ( dup (out_fd), "w"); + out_stream = es_fdopen_nc (out_fd, "w"); if (!out_stream) { return set_error (GPG_ERR_ASS_GENERAL, "es_fdopen() failed"); diff --git a/sm/sign.c b/sm/sign.c index fd7c4ff..c173740 100644 --- a/sm/sign.c +++ b/sm/sign.c @@ -22,7 +22,7 @@ #include #include #include -#include +#include #include #include @@ -50,7 +50,7 @@ hash_data (int fd, gcry_md_hd_t md) return -1; } - do + do { nread = fread (buffer, 1, DIM(buffer), fp); gcry_md_write (md, buffer, nread); @@ -83,7 +83,7 @@ hash_and_copy_data (int fd, gcry_md_hd_t md, ksba_writer_t writer) return tmperr; } - do + do { nread = fread (buffer, 1, DIM(buffer), fp); if (nread) @@ -152,7 +152,7 @@ gpgsm_get_default_cert (ctrl_t ctrl, ksba_cert_t *r_cert) do { rc = keydb_get_cert (hd, &cert); - if (rc) + if (rc) { log_error ("keydb_get_cert failed: %s\n", gpg_strerror (rc)); keydb_release (hd); @@ -175,13 +175,13 @@ gpgsm_get_default_cert (ctrl_t ctrl, ksba_cert_t *r_cert) } } - ksba_cert_release (cert); + ksba_cert_release (cert); cert = NULL; } while (!(rc = keydb_search_next (hd))); if (rc && rc != -1) log_error ("keydb_search_next failed: %s\n", gpg_strerror (rc)); - + ksba_cert_release (cert); keydb_release (hd); return rc; @@ -225,7 +225,7 @@ get_default_signer (ctrl_t ctrl) { log_debug ("failed to find default certificate: rc=%d\n", rc); } - else + else { rc = keydb_get_cert (kh, &cert); if (rc) @@ -241,7 +241,7 @@ get_default_signer (ctrl_t ctrl) /* Depending on the options in CTRL add the certificate CERT as well as other certificate up in the chain to the Root-CA to the CMS object. */ -static int +static int add_certificate_list (ctrl_t ctrl, ksba_cms_t cms, ksba_cert_t cert) { gpg_error_t err; @@ -302,7 +302,7 @@ add_certificate_list (ctrl_t ctrl, ksba_cms_t cms, ksba_cert_t cert) -/* Perform a sign operation. +/* Perform a sign operation. Sign the data received on DATA-FD in embedded mode or in detached mode when DETACHED is true. Write the signature to OUT_FP. The @@ -332,7 +332,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, kh = keydb_new (0); if (!kh) { - log_error (_("failed to allocated keyDB handle\n")); + log_error (_("failed to allocate keyDB handle\n")); rc = gpg_error (GPG_ERR_GENERAL); goto leave; } @@ -380,7 +380,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, if (!cert) { log_error ("no default signer found\n"); - gpgsm_status2 (ctrl, STATUS_INV_SGNR, + gpgsm_status2 (ctrl, STATUS_INV_SGNR, get_inv_recpsgnr_code (GPG_ERR_NO_SECKEY), NULL); rc = gpg_error (GPG_ERR_GENERAL); goto leave; @@ -396,7 +396,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, char *tmpfpr; tmpfpr = gpgsm_get_fingerprint_hexstring (cert, 0); - gpgsm_status2 (ctrl, STATUS_INV_SGNR, + gpgsm_status2 (ctrl, STATUS_INV_SGNR, get_inv_recpsgnr_code (rc), tmpfpr, NULL); xfree (tmpfpr); goto leave; @@ -442,13 +442,13 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, case GCRY_MD_SHA384: oid = "2.16.840.1.101.3.4.2.2"; break; case GCRY_MD_SHA512: oid = "2.16.840.1.101.3.4.2.3"; break; /* case GCRY_MD_WHIRLPOOL: oid = "No OID yet"; break; */ - + case GCRY_MD_MD5: /* We don't want to use MD5. */ case 0: /* No algorithm found in cert. */ default: /* Other algorithms. */ log_info (_("hash algorithm %d (%s) for signer %d not supported;" " using %s\n"), - cl->hash_algo, oid? oid: "?", i, + cl->hash_algo, oid? oid: "?", i, gcry_md_algo_name (GCRY_MD_SHA1)); cl->hash_algo = GCRY_MD_SHA1; oid = "1.3.14.3.2.26"; @@ -460,7 +460,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, if (opt.verbose) { for (i=0, cl=signerlist; cl; cl = cl->next, i++) - log_info (_("hash algorithm used for signer %d: %s (%s)\n"), + log_info (_("hash algorithm used for signer %d: %s (%s)\n"), i, gcry_md_algo_name (cl->hash_algo), cl->hash_algo_oid); } @@ -471,7 +471,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, rc = gpgsm_cert_use_sign_p (cl->cert); if (rc) goto leave; - + err = ksba_cms_add_signer (cms, cl->cert); if (err) { @@ -505,13 +505,13 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, { size_t buflen; char buffer[1]; - - err = ksba_cert_get_user_data (cl->cert, "is_qualified", + + err = ksba_cert_get_user_data (cl->cert, "is_qualified", &buffer, sizeof (buffer), &buflen); if (err || !buflen) { log_error (_("checking for qualified certificate failed: %s\n"), - gpg_strerror (err)); + gpg_strerror (err)); rc = err; goto leave; } @@ -525,7 +525,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, goto leave; } } - + /* Prepare hashing (actually we are figuring out what we have set above). */ rc = gcry_md_open (&data_md, 0, 0); @@ -535,7 +535,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, goto leave; } if (DBG_HASHING) - gcry_md_start_debug (data_md, "sign.data"); + gcry_md_debug (data_md, "sign.data"); for (i=0; (algoid=ksba_cms_get_digest_algo_list (cms, i)); i++) { @@ -614,7 +614,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, /* Main building loop. */ - do + do { err = ksba_cms_build (cms, &stopreason); if (err) @@ -625,7 +625,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, } if (stopreason == KSBA_SR_BEGIN_DATA) - { + { /* Hash the data and store the message digest. */ unsigned char *digest; size_t digest_len; @@ -658,7 +658,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, } } else if (stopreason == KSBA_SR_NEED_SIG) - { + { /* Compute the signature for all signers. */ gcry_md_hd_t md; @@ -669,7 +669,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, goto leave; } if (DBG_HASHING) - gcry_md_start_debug (md, "sign.attr"); + gcry_md_debug (md, "sign.attr"); ksba_cms_set_hash_function (cms, HASH_FNC, md); for (cl=signerlist,signer=0; cl; cl = cl->next, signer++) { @@ -685,7 +685,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, for (cl_tmp=signerlist; cl_tmp; cl_tmp = cl_tmp->next) { gcry_md_enable (md, cl_tmp->hash_algo); - audit_log_i (ctrl->audit, AUDIT_ATTR_HASH_ALGO, + audit_log_i (ctrl->audit, AUDIT_ATTR_HASH_ALGO, cl_tmp->hash_algo); } } @@ -698,7 +698,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, gcry_md_close (md); goto leave; } - + rc = gpgsm_create_cms_signature (ctrl, cl->cert, md, cl->hash_algo, &sigval); if (rc) @@ -733,8 +733,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, int pkalgo = gpgsm_get_key_algo_info (cl->cert, NULL); buf = xtryasprintf ("%c %d %d 00 %s %s", detached? 'D':'S', - pkalgo, - cl->hash_algo, + pkalgo, + cl->hash_algo, signed_at, fpr); if (!buf) @@ -753,10 +753,10 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, gcry_md_close (md); } } - while (stopreason != KSBA_SR_READY); + while (stopreason != KSBA_SR_READY); rc = gpgsm_finish_writer (b64writer); - if (rc) + if (rc) { log_error ("write failed: %s\n", gpg_strerror (rc)); goto leave; @@ -774,7 +774,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, gpgsm_release_certlist (signerlist); ksba_cms_release (cms); gpgsm_destroy_writer (b64writer); - keydb_release (kh); + keydb_release (kh); gcry_md_close (data_md); return rc; } diff --git a/sm/verify.c b/sm/verify.c index c8663e3..0444dfe 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -22,7 +22,7 @@ #include #include #include -#include +#include #include #include @@ -37,7 +37,7 @@ static char * strtimestamp_r (ksba_isotime_t atime) { char *buffer = xmalloc (15); - + if (!atime || !*atime) strcpy (buffer, "none"); else @@ -64,7 +64,7 @@ hash_data (int fd, gcry_md_hd_t md) return err; } - do + do { nread = fread (buffer, 1, DIM(buffer), fp); gcry_md_write (md, buffer, nread); @@ -110,7 +110,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) kh = keydb_new (0); if (!kh) { - log_error (_("failed to allocated keyDB handle\n")); + log_error (_("failed to allocate keyDB handle\n")); rc = gpg_error (GPG_ERR_GENERAL); goto leave; } @@ -160,12 +160,12 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) goto leave; } if (DBG_HASHING) - gcry_md_start_debug (data_md, "vrfy.data"); + gcry_md_debug (data_md, "vrfy.data"); audit_log (ctrl->audit, AUDIT_SETUP_READY); is_detached = 0; - do + do { rc = ksba_cms_parse (cms, &stopreason); if (rc) @@ -184,7 +184,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) if (stopreason == KSBA_SR_NEED_HASH || stopreason == KSBA_SR_BEGIN_DATA) - { + { audit_log (ctrl->audit, AUDIT_GOT_DATA); /* We are now able to enable the hash algorithms */ @@ -213,7 +213,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) if (opt.extra_digest_algo) { if (DBG_X509) - log_debug ("enabling extra hash algorithm %d\n", + log_debug ("enabling extra hash algorithm %d\n", opt.extra_digest_algo); gcry_md_enable (data_md, opt.extra_digest_algo); audit_log_i (ctrl->audit, AUDIT_DATA_HASH_ALGO, @@ -241,12 +241,12 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) audit_log_ok (ctrl->audit, AUDIT_DATA_HASHING, 0); } } - while (stopreason != KSBA_SR_READY); + while (stopreason != KSBA_SR_READY); if (b64writer) { rc = gpgsm_finish_writer (b64writer); - if (rc) + if (rc) { log_error ("write failed: %s\n", gpg_strerror (rc)); audit_log_ok (ctrl->audit, AUDIT_WRITE_ERROR, rc); @@ -268,7 +268,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) certificate first before entering it into the DB. This way we would avoid cluttering the DB with invalid certificates. */ - audit_log_cert (ctrl->audit, AUDIT_SAVE_CERT, cert, + audit_log_cert (ctrl->audit, AUDIT_SAVE_CERT, cert, keydb_store_cert (cert, 0, NULL)); ksba_cert_release (cert); } @@ -344,7 +344,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) &algo, &is_enabled) || !is_enabled) { - log_error ("digest algo %d (%s) has not been enabled\n", + log_error ("digest algo %d (%s) has not been enabled\n", algo, algoid?algoid:""); audit_log_s (ctrl->audit, AUDIT_SIG_STATUS, "unsupported"); goto next_signer; @@ -355,7 +355,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) assert (!msgdigest); rc = 0; algoid = NULL; - algo = 0; + algo = 0; } else /* real error */ { @@ -365,7 +365,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) rc = ksba_cms_get_sigattr_oids (cms, signer, "1.2.840.113549.1.9.3", &ctattr); - if (!rc) + if (!rc) { const char *s; @@ -484,9 +484,9 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) gpgsm_status (ctrl, STATUS_BADSIG, fpr); xfree (fpr); audit_log_s (ctrl->audit, AUDIT_SIG_STATUS, "bad"); - goto next_signer; + goto next_signer; } - + audit_log_i (ctrl->audit, AUDIT_ATTR_HASH_ALGO, sigval_hash_algo); rc = gcry_md_open (&md, sigval_hash_algo, 0); if (rc) @@ -496,7 +496,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) goto next_signer; } if (DBG_HASHING) - gcry_md_start_debug (md, "vrfy.attr"); + gcry_md_debug (md, "vrfy.attr"); ksba_cms_set_hash_function (cms, HASH_FNC, md); rc = ksba_cms_hash_signed_attrs (cms, signer); @@ -508,13 +508,13 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) audit_log_s (ctrl->audit, AUDIT_SIG_STATUS, "error"); goto next_signer; } - rc = gpgsm_check_cms_signature (cert, sigval, md, + rc = gpgsm_check_cms_signature (cert, sigval, md, sigval_hash_algo, &info_pkalgo); gcry_md_close (md); } else { - rc = gpgsm_check_cms_signature (cert, sigval, data_md, + rc = gpgsm_check_cms_signature (cert, sigval, data_md, algo, &info_pkalgo); } @@ -542,7 +542,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) audit_log (ctrl->audit, AUDIT_VALIDATE_CHAIN); rc = gpgsm_validate_chain (ctrl, cert, *sigtime? sigtime : "19700101T000000", - keyexptime, 0, + keyexptime, 0, NULL, 0, &verifyflags); { char *fpr, *buf, *tstr; @@ -555,7 +555,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) } else gpgsm_status (ctrl, STATUS_GOODSIG, fpr); - + xfree (fpr); fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); @@ -581,7 +581,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) gpgsm_status_with_err_code (ctrl, STATUS_TRUST_NEVER, NULL, gpg_err_code (rc)); else - gpgsm_status_with_err_code (ctrl, STATUS_TRUST_UNDEFINED, NULL, + gpgsm_status_with_err_code (ctrl, STATUS_TRUST_UNDEFINED, NULL, gpg_err_code (rc)); audit_log_s (ctrl->audit, AUDIT_SIG_STATUS, "bad"); goto next_signer; @@ -603,7 +603,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) { size_t qualbuflen; char qualbuffer[1]; - + rc = ksba_cert_get_user_data (cert, "is_qualified", &qualbuffer, sizeof (qualbuffer), &qualbuflen); if (!rc && qualbuflen) @@ -612,20 +612,20 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) { log_info (_("This is a qualified signature\n")); if (!opt.qualsig_approval) - log_info + log_info (_("Note, that this software is not officially approved " "to create or verify such signatures.\n")); } - } + } else if (gpg_err_code (rc) != GPG_ERR_NOT_FOUND) log_error ("get_user_data(is_qualified) failed: %s\n", - gpg_strerror (rc)); + gpg_strerror (rc)); } - gpgsm_status (ctrl, STATUS_TRUST_FULLY, + gpgsm_status (ctrl, STATUS_TRUST_FULLY, (verifyflags & VALIDATE_FLAG_CHAIN_MODEL)? "0 chain": "0 shell"); - + next_signer: rc = 0; @@ -642,7 +642,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, FILE *out_fp) ksba_cms_release (cms); gpgsm_destroy_reader (b64reader); gpgsm_destroy_writer (b64writer); - keydb_release (kh); + keydb_release (kh); gcry_md_close (data_md); if (fp) fclose (fp); -- cgit v1.2.3