aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2016-02-06 01:56:47 +0000
committerVsevolod Stakhov <vsevolod@highsecure.ru>2016-02-06 01:56:47 +0000
commit763dc4a2181e7b488a36f8284ea2b0140d45c38e (patch)
treef3c249863cf7ff3e8d0eb5f5305b69d7663a8439
parent8fd7fee2ddfa640bb30e7f9e2c44d0f656129c13 (diff)
downloadrspamd-763dc4a2181e7b488a36f8284ea2b0140d45c38e.tar.gz
rspamd-763dc4a2181e7b488a36f8284ea2b0140d45c38e.zip
Fix rspamadm
-rw-r--r--src/libcryptobox/keypair.c5
-rw-r--r--src/rspamadm/keypair.c186
-rw-r--r--src/rspamadm/signtool.c86
3 files changed, 68 insertions, 209 deletions
diff --git a/src/libcryptobox/keypair.c b/src/libcryptobox/keypair.c
index 936ec219f..92beb592c 100644
--- a/src/libcryptobox/keypair.c
+++ b/src/libcryptobox/keypair.c
@@ -608,6 +608,11 @@ rspamd_keypair_from_ucl (const ucl_object_t *obj)
return NULL;
}
+ elt = ucl_object_find_key (obj, "keypair");
+ if (elt != NULL) {
+ obj = elt;
+ }
+
pubkey = ucl_object_find_any_key (obj, "pubkey", "public", "public_key",
NULL);
if (pubkey == NULL || ucl_object_type (pubkey) != UCL_STRING) {
diff --git a/src/rspamadm/keypair.c b/src/rspamadm/keypair.c
index 8f2f494de..2cfbee972 100644
--- a/src/rspamadm/keypair.c
+++ b/src/rspamadm/keypair.c
@@ -19,7 +19,7 @@
#include "printf.h"
#include "http.h"
#include "ucl.h"
-#include "keypair_private.h"
+#include "libcryptobox/keypair.h"
#include "libutil/str_util.h"
static gboolean hex_encode = FALSE;
@@ -80,15 +80,13 @@ rspamadm_keypair (gint argc, gchar **argv)
{
GOptionContext *context;
GError *error = NULL;
- gpointer keypair;
- GString *keypair_out;
- gint how;
- ucl_object_t *ucl_out, *elt;
+ struct rspamd_cryptobox_keypair *kp;
+ gint how = 0;
+ ucl_object_t *ucl_out;
struct ucl_emitter_functions *ucl_emit_subr;
- guchar *sig_sk, *sig_pk;
- gchar *sig_sk_encoded, *sig_pk_encoded, *pk_id_encoded;
- guchar kh[rspamd_cryptobox_HASHBYTES];
- const gchar *encoding;
+ GString *out;
+ enum rspamd_cryptobox_keypair_type type = RSPAMD_KEYPAIR_KEX;
+ enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519;
context = g_option_context_new (
"keypair - create encryption keys");
@@ -106,159 +104,39 @@ rspamadm_keypair (gint argc, gchar **argv)
}
if (openssl) {
- if (!rspamd_cryptobox_openssl_mode (TRUE)) {
- fprintf (stderr, "cannot enable openssl mode (incompatible openssl)\n");
- exit (1);
- }
+ mode = RSPAMD_CRYPTOBOX_MODE_NIST;
}
-
- if (!sign) {
- keypair = rspamd_http_connection_gen_key ();
- if (keypair == NULL) {
- exit (EXIT_FAILURE);
- }
-
- how = 0;
-
- if (hex_encode) {
- how |= RSPAMD_KEYPAIR_HEX;
- encoding = "hex";
- }
- else {
- how |= RSPAMD_KEYPAIR_BASE32;
- encoding = "base32";
- }
-
- if (ucl) {
- ucl_out = ucl_object_typed_new (UCL_OBJECT);
- elt = ucl_object_typed_new (UCL_OBJECT);
- ucl_object_insert_key (ucl_out, elt, "keypair", 0, false);
-
- /* pubkey part */
- keypair_out = rspamd_http_connection_print_key (keypair,
- RSPAMD_KEYPAIR_PUBKEY|how);
- ucl_object_insert_key (elt,
- ucl_object_fromlstring (keypair_out->str, keypair_out->len),
- "pubkey", 0, false);
- g_string_free (keypair_out, TRUE);
-
- /* privkey part */
- keypair_out = rspamd_http_connection_print_key (keypair,
- RSPAMD_KEYPAIR_PRIVKEY|how);
- ucl_object_insert_key (elt,
- ucl_object_fromlstring (keypair_out->str, keypair_out->len),
- "privkey", 0, false);
- g_string_free (keypair_out, TRUE);
-
- keypair_out = rspamd_http_connection_print_key (keypair,
- RSPAMD_KEYPAIR_ID|how);
- ucl_object_insert_key (elt,
- ucl_object_fromlstring (keypair_out->str, keypair_out->len),
- "id", 0, false);
- ucl_object_insert_key (elt,
- ucl_object_fromstring (encoding),
- "encoding", 0, false);
- ucl_object_insert_key (elt,
- ucl_object_fromstring (openssl ? "nistp256" : "curve25519"),
- "algorithm", 0, false);
- ucl_object_insert_key (elt,
- ucl_object_fromstring ("kex"),
- "type", 0, false);
-
- ucl_emit_subr = ucl_object_emit_file_funcs (stdout);
- ucl_object_emit_full (ucl_out, UCL_EMIT_CONFIG, ucl_emit_subr);
- ucl_object_emit_funcs_free (ucl_emit_subr);
- ucl_object_unref (ucl_out);
- }
- else {
- how |= RSPAMD_KEYPAIR_PUBKEY | RSPAMD_KEYPAIR_PRIVKEY;
-
- if (!raw) {
- how |= RSPAMD_KEYPAIR_HUMAN|RSPAMD_KEYPAIR_ID;
- }
-
- keypair_out = rspamd_http_connection_print_key (keypair, how);
- rspamd_printf ("%v", keypair_out);
- }
-
- rspamd_http_connection_key_unref (keypair);
- rspamd_explicit_memzero (keypair_out->str, keypair_out->len);
- g_string_free (keypair_out, TRUE);
+ if (hex_encode) {
+ how |= RSPAMD_KEYPAIR_HEX;
}
else {
- sig_sk = g_malloc (rspamd_cryptobox_sk_sig_bytes ());
- sig_pk = g_malloc (rspamd_cryptobox_pk_sig_bytes ());
-
- rspamd_cryptobox_keypair_sig (sig_pk, sig_sk);
- rspamd_cryptobox_hash (kh, sig_pk, rspamd_cryptobox_pk_sig_bytes (),
- NULL, 0);
-
- if (hex_encode) {
- encoding = "hex";
- sig_pk_encoded = rspamd_encode_hex (sig_pk,
- rspamd_cryptobox_pk_sig_bytes ());
- sig_sk_encoded = rspamd_encode_hex (sig_sk,
- rspamd_cryptobox_sk_sig_bytes ());
- pk_id_encoded = rspamd_encode_hex (kh, sizeof (kh));
- }
- else {
- encoding = "base32";
- sig_pk_encoded = rspamd_encode_base32 (sig_pk,
- rspamd_cryptobox_pk_sig_bytes ());
- sig_sk_encoded = rspamd_encode_base32 (sig_sk,
- rspamd_cryptobox_sk_sig_bytes ());
- pk_id_encoded = rspamd_encode_base32 (kh, sizeof (kh));
- }
-
- if (ucl) {
- ucl_out = ucl_object_typed_new (UCL_OBJECT);
- elt = ucl_object_typed_new (UCL_OBJECT);
- ucl_object_insert_key (ucl_out, elt, "keypair", 0, false);
-
- /* pubkey part */
- ucl_object_insert_key (elt,
- ucl_object_fromstring (sig_pk_encoded),
- "pubkey", 0, false);
-
- /* privkey part */
- ucl_object_insert_key (elt,
- ucl_object_fromstring (sig_sk_encoded),
- "privkey", 0, false);
+ how |= RSPAMD_KEYPAIR_BASE32;
+ }
- ucl_object_insert_key (elt,
- ucl_object_fromstring (pk_id_encoded),
- "id", 0, false);
+ if (sign) {
+ type = RSPAMD_KEYPAIR_SIGN;
+ }
- ucl_object_insert_key (elt,
- ucl_object_fromstring (encoding),
- "encoding", 0, false);
+ kp = rspamd_keypair_new (type, mode);
- ucl_object_insert_key (elt,
- ucl_object_fromstring (openssl ? "nistp256" : "curve25519"),
- "algorithm", 0, false);
- ucl_object_insert_key (elt,
- ucl_object_fromstring ("sign"),
- "type", 0, false);
+ if (ucl) {
+ ucl_out = rspamd_keypair_to_ucl (kp, hex_encode);
+ ucl_emit_subr = ucl_object_emit_file_funcs (stdout);
+ ucl_object_emit_full (ucl_out, UCL_EMIT_CONFIG, ucl_emit_subr);
+ ucl_object_emit_funcs_free (ucl_emit_subr);
+ ucl_object_unref (ucl_out);
+ }
+ else {
+ how |= RSPAMD_KEYPAIR_PUBKEY | RSPAMD_KEYPAIR_PRIVKEY;
- ucl_emit_subr = ucl_object_emit_file_funcs (stdout);
- ucl_object_emit_full (ucl_out, UCL_EMIT_CONFIG, ucl_emit_subr);
- ucl_object_emit_funcs_free (ucl_emit_subr);
- ucl_object_unref (ucl_out);
+ if (!raw) {
+ how |= RSPAMD_KEYPAIR_HUMAN|RSPAMD_KEYPAIR_ID;
}
- else {
- rspamd_printf ("Public key: %s\nPrivate key: %s\nKey ID: %s\n",
- sig_pk_encoded,
- sig_sk_encoded,
- pk_id_encoded);
- }
-
- rspamd_explicit_memzero (sig_sk, rspamd_cryptobox_sk_sig_bytes ());
- rspamd_explicit_memzero (sig_sk_encoded, strlen (sig_sk_encoded));
- g_free (sig_pk);
- g_free (sig_sk);
- g_free (sig_pk_encoded);
- g_free (sig_sk_encoded);
- g_free (pk_id_encoded);
+ out = rspamd_keypair_print (kp, how);
+ rspamd_printf ("%v", kp);
+ g_string_free (out, TRUE);
}
+
+ rspamd_keypair_unref (kp);
}
diff --git a/src/rspamadm/signtool.c b/src/rspamadm/signtool.c
index c63c16090..8c9d9e705 100644
--- a/src/rspamadm/signtool.c
+++ b/src/rspamadm/signtool.c
@@ -19,7 +19,7 @@
#include "cryptobox.h"
#include "printf.h"
#include "ucl.h"
-#include "keypair_private.h"
+#include "libcryptobox/keypair.h"
#include "libutil/str_util.h"
#include "libutil/util.h"
#include "unix-std.h"
@@ -31,6 +31,7 @@ static gchar *suffix = NULL;
static gchar *pubkey_file = NULL;
static gchar *pubkey = NULL;
static gchar *keypair_file = NULL;
+enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519;
static void rspamadm_signtool (gint argc, gchar **argv);
static const char *rspamadm_signtool_help (gboolean full_help);
@@ -127,10 +128,11 @@ rspamadm_sign_file (const gchar *fname, const guchar *sk)
exit (errno);
}
- g_assert (rspamd_cryptobox_MAX_SIGBYTES >= rspamd_cryptobox_signature_bytes ());
+ g_assert (rspamd_cryptobox_MAX_SIGBYTES >=
+ rspamd_cryptobox_signature_bytes (mode));
- rspamd_cryptobox_sign (sig, NULL, map, st.st_size, sk);
- write (fd_sig, sig, rspamd_cryptobox_signature_bytes ());
+ rspamd_cryptobox_sign (sig, NULL, map, st.st_size, sk, mode);
+ write (fd_sig, sig, rspamd_cryptobox_signature_bytes (mode));
close (fd_sig);
munmap (map, st.st_size);
@@ -151,7 +153,8 @@ rspamadm_verify_file (const gchar *fname, const guchar *pk)
struct stat st, st_sig;
bool ret;
- g_assert (rspamd_cryptobox_MAX_SIGBYTES >= rspamd_cryptobox_signature_bytes ());
+ g_assert (rspamd_cryptobox_MAX_SIGBYTES >=
+ rspamd_cryptobox_signature_bytes (mode));
if (suffix == NULL) {
suffix = ".sig";
@@ -189,7 +192,7 @@ rspamadm_verify_file (const gchar *fname, const guchar *pk)
g_assert (fstat (fd_sig, &st_sig) != -1);
- if (st_sig.st_size != rspamd_cryptobox_signature_bytes ()) {
+ if (st_sig.st_size != rspamd_cryptobox_signature_bytes (mode)) {
close (fd_sig);
rspamd_fprintf (stderr, "invalid signature size %s: %ud\n", fname,
(guint)st_sig.st_size);
@@ -207,7 +210,7 @@ rspamadm_verify_file (const gchar *fname, const guchar *pk)
exit (errno);
}
- ret = rspamd_cryptobox_verify (map_sig, map, st.st_size, pk);
+ ret = rspamd_cryptobox_verify (map_sig, map, st.st_size, pk, mode);
munmap (map, st.st_size);
munmap (map_sig, st_sig.st_size);
@@ -231,9 +234,9 @@ rspamadm_signtool (gint argc, gchar **argv)
GError *error = NULL;
struct ucl_parser *parser;
ucl_object_t *top;
- const ucl_object_t *elt;
- guchar *pk, *sk;
- gsize fsize, flen, klen;
+ struct rspamd_cryptobox_pubkey *pk;
+ struct rspamd_cryptobox_keypair *kp;
+ gsize fsize, flen;
gint i;
context = g_option_context_new (
@@ -252,10 +255,7 @@ rspamadm_signtool (gint argc, gchar **argv)
}
if (openssl) {
- if (!rspamd_cryptobox_openssl_mode (TRUE)) {
- rspamd_fprintf (stderr, "cannot enable openssl mode (incompatible openssl)\n");
- exit (1);
- }
+ mode = RSPAMD_CRYPTOBOX_MODE_NIST;
}
if (verify && (!pubkey && !pubkey_file)) {
@@ -300,29 +300,32 @@ rspamadm_signtool (gint argc, gchar **argv)
flen --;
}
- pk = rspamd_decode_base32 (map, flen, &klen);
+ pk = rspamd_pubkey_from_base32 (map, flen,
+ RSPAMD_KEYPAIR_SIGN, mode);
- if (klen != rspamd_cryptobox_pk_sig_bytes () || pk == NULL) {
- rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", klen,
- rspamd_cryptobox_pk_sig_bytes ());
+ if (pk == NULL) {
+ rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", flen,
+ rspamd_cryptobox_pk_sig_bytes (mode));
exit (errno);
}
munmap (map, fsize);
}
else {
- pk = rspamd_decode_base32 (pubkey, strlen (pubkey), &klen);
+ pk = rspamd_pubkey_from_base32 (pubkey, strlen (pubkey),
+ RSPAMD_KEYPAIR_SIGN, mode);
- if (klen != rspamd_cryptobox_pk_sig_bytes () || pk == NULL) {
- rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", klen,
- rspamd_cryptobox_pk_sig_bytes ());
+ if (pk == NULL) {
+ rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n",
+ strlen (pubkey),
+ rspamd_cryptobox_pk_sig_bytes (mode));
exit (errno);
}
}
for (i = 1; i < argc; i++) {
/* XXX: support cmd line signature */
- if (!rspamadm_verify_file (argv[i], pk)) {
+ if (!rspamadm_verify_file (argv[i], rspamd_pubkey_get_pk (pk, NULL))) {
exit (EXIT_FAILURE);
}
}
@@ -343,44 +346,17 @@ rspamadm_signtool (gint argc, gchar **argv)
ucl_parser_free (parser);
- /* XXX: add generic routine to parse all keypair types */
- elt = ucl_object_find_key (top, "keypair");
-
- /* XXX: add secure cleanup */
- if (elt == NULL || ucl_object_type (elt) != UCL_OBJECT) {
- rspamd_fprintf (stderr, "cannot load keypair: absent keypair\n");
- ucl_object_unref (top);
- exit (EINVAL);
- }
-
- elt = ucl_object_find_key (elt, "privkey");
-
- if (elt == NULL || ucl_object_type (elt) != UCL_STRING) {
- rspamd_fprintf (stderr, "cannot load keypair: absent privkey\n");
- ucl_object_unref (top);
- exit (EINVAL);
- }
-
- sk = rspamd_decode_base32 (ucl_object_tostring (elt),
- elt->len, &klen);
- ucl_object_unref (top);
-
- if (klen != rspamd_cryptobox_sk_sig_bytes () || sk == NULL) {
- rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n",
- ucl_object_tostring (elt),klen,
- rspamd_cryptobox_sk_sig_bytes ());
- exit (errno);
- }
+ kp = rspamd_keypair_from_ucl (top);
for (i = 1; i < argc; i++) {
/* XXX: support cmd line signature */
- if (!rspamadm_sign_file (argv[i], sk)) {
- rspamd_explicit_memzero (sk, klen);
+ if (!rspamadm_sign_file (argv[i], rspamd_keypair_component (
+ kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL))) {
+ rspamd_keypair_unref (kp);
exit (EXIT_FAILURE);
}
}
- rspamd_explicit_memzero (sk, klen);
- g_free (sk);
+ rspamd_keypair_unref (kp);
}
}