diff options
author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2016-02-06 01:56:47 +0000 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2016-02-06 01:56:47 +0000 |
commit | 763dc4a2181e7b488a36f8284ea2b0140d45c38e (patch) | |
tree | f3c249863cf7ff3e8d0eb5f5305b69d7663a8439 | |
parent | 8fd7fee2ddfa640bb30e7f9e2c44d0f656129c13 (diff) | |
download | rspamd-763dc4a2181e7b488a36f8284ea2b0140d45c38e.tar.gz rspamd-763dc4a2181e7b488a36f8284ea2b0140d45c38e.zip |
Fix rspamadm
-rw-r--r-- | src/libcryptobox/keypair.c | 5 | ||||
-rw-r--r-- | src/rspamadm/keypair.c | 186 | ||||
-rw-r--r-- | src/rspamadm/signtool.c | 86 |
3 files changed, 68 insertions, 209 deletions
diff --git a/src/libcryptobox/keypair.c b/src/libcryptobox/keypair.c index 936ec219f..92beb592c 100644 --- a/src/libcryptobox/keypair.c +++ b/src/libcryptobox/keypair.c @@ -608,6 +608,11 @@ rspamd_keypair_from_ucl (const ucl_object_t *obj) return NULL; } + elt = ucl_object_find_key (obj, "keypair"); + if (elt != NULL) { + obj = elt; + } + pubkey = ucl_object_find_any_key (obj, "pubkey", "public", "public_key", NULL); if (pubkey == NULL || ucl_object_type (pubkey) != UCL_STRING) { diff --git a/src/rspamadm/keypair.c b/src/rspamadm/keypair.c index 8f2f494de..2cfbee972 100644 --- a/src/rspamadm/keypair.c +++ b/src/rspamadm/keypair.c @@ -19,7 +19,7 @@ #include "printf.h" #include "http.h" #include "ucl.h" -#include "keypair_private.h" +#include "libcryptobox/keypair.h" #include "libutil/str_util.h" static gboolean hex_encode = FALSE; @@ -80,15 +80,13 @@ rspamadm_keypair (gint argc, gchar **argv) { GOptionContext *context; GError *error = NULL; - gpointer keypair; - GString *keypair_out; - gint how; - ucl_object_t *ucl_out, *elt; + struct rspamd_cryptobox_keypair *kp; + gint how = 0; + ucl_object_t *ucl_out; struct ucl_emitter_functions *ucl_emit_subr; - guchar *sig_sk, *sig_pk; - gchar *sig_sk_encoded, *sig_pk_encoded, *pk_id_encoded; - guchar kh[rspamd_cryptobox_HASHBYTES]; - const gchar *encoding; + GString *out; + enum rspamd_cryptobox_keypair_type type = RSPAMD_KEYPAIR_KEX; + enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519; context = g_option_context_new ( "keypair - create encryption keys"); @@ -106,159 +104,39 @@ rspamadm_keypair (gint argc, gchar **argv) } if (openssl) { - if (!rspamd_cryptobox_openssl_mode (TRUE)) { - fprintf (stderr, "cannot enable openssl mode (incompatible openssl)\n"); - exit (1); - } + mode = RSPAMD_CRYPTOBOX_MODE_NIST; } - - if (!sign) { - keypair = rspamd_http_connection_gen_key (); - if (keypair == NULL) { - exit (EXIT_FAILURE); - } - - how = 0; - - if (hex_encode) { - how |= RSPAMD_KEYPAIR_HEX; - encoding = "hex"; - } - else { - how |= RSPAMD_KEYPAIR_BASE32; - encoding = "base32"; - } - - if (ucl) { - ucl_out = ucl_object_typed_new (UCL_OBJECT); - elt = ucl_object_typed_new (UCL_OBJECT); - ucl_object_insert_key (ucl_out, elt, "keypair", 0, false); - - /* pubkey part */ - keypair_out = rspamd_http_connection_print_key (keypair, - RSPAMD_KEYPAIR_PUBKEY|how); - ucl_object_insert_key (elt, - ucl_object_fromlstring (keypair_out->str, keypair_out->len), - "pubkey", 0, false); - g_string_free (keypair_out, TRUE); - - /* privkey part */ - keypair_out = rspamd_http_connection_print_key (keypair, - RSPAMD_KEYPAIR_PRIVKEY|how); - ucl_object_insert_key (elt, - ucl_object_fromlstring (keypair_out->str, keypair_out->len), - "privkey", 0, false); - g_string_free (keypair_out, TRUE); - - keypair_out = rspamd_http_connection_print_key (keypair, - RSPAMD_KEYPAIR_ID|how); - ucl_object_insert_key (elt, - ucl_object_fromlstring (keypair_out->str, keypair_out->len), - "id", 0, false); - ucl_object_insert_key (elt, - ucl_object_fromstring (encoding), - "encoding", 0, false); - ucl_object_insert_key (elt, - ucl_object_fromstring (openssl ? "nistp256" : "curve25519"), - "algorithm", 0, false); - ucl_object_insert_key (elt, - ucl_object_fromstring ("kex"), - "type", 0, false); - - ucl_emit_subr = ucl_object_emit_file_funcs (stdout); - ucl_object_emit_full (ucl_out, UCL_EMIT_CONFIG, ucl_emit_subr); - ucl_object_emit_funcs_free (ucl_emit_subr); - ucl_object_unref (ucl_out); - } - else { - how |= RSPAMD_KEYPAIR_PUBKEY | RSPAMD_KEYPAIR_PRIVKEY; - - if (!raw) { - how |= RSPAMD_KEYPAIR_HUMAN|RSPAMD_KEYPAIR_ID; - } - - keypair_out = rspamd_http_connection_print_key (keypair, how); - rspamd_printf ("%v", keypair_out); - } - - rspamd_http_connection_key_unref (keypair); - rspamd_explicit_memzero (keypair_out->str, keypair_out->len); - g_string_free (keypair_out, TRUE); + if (hex_encode) { + how |= RSPAMD_KEYPAIR_HEX; } else { - sig_sk = g_malloc (rspamd_cryptobox_sk_sig_bytes ()); - sig_pk = g_malloc (rspamd_cryptobox_pk_sig_bytes ()); - - rspamd_cryptobox_keypair_sig (sig_pk, sig_sk); - rspamd_cryptobox_hash (kh, sig_pk, rspamd_cryptobox_pk_sig_bytes (), - NULL, 0); - - if (hex_encode) { - encoding = "hex"; - sig_pk_encoded = rspamd_encode_hex (sig_pk, - rspamd_cryptobox_pk_sig_bytes ()); - sig_sk_encoded = rspamd_encode_hex (sig_sk, - rspamd_cryptobox_sk_sig_bytes ()); - pk_id_encoded = rspamd_encode_hex (kh, sizeof (kh)); - } - else { - encoding = "base32"; - sig_pk_encoded = rspamd_encode_base32 (sig_pk, - rspamd_cryptobox_pk_sig_bytes ()); - sig_sk_encoded = rspamd_encode_base32 (sig_sk, - rspamd_cryptobox_sk_sig_bytes ()); - pk_id_encoded = rspamd_encode_base32 (kh, sizeof (kh)); - } - - if (ucl) { - ucl_out = ucl_object_typed_new (UCL_OBJECT); - elt = ucl_object_typed_new (UCL_OBJECT); - ucl_object_insert_key (ucl_out, elt, "keypair", 0, false); - - /* pubkey part */ - ucl_object_insert_key (elt, - ucl_object_fromstring (sig_pk_encoded), - "pubkey", 0, false); - - /* privkey part */ - ucl_object_insert_key (elt, - ucl_object_fromstring (sig_sk_encoded), - "privkey", 0, false); + how |= RSPAMD_KEYPAIR_BASE32; + } - ucl_object_insert_key (elt, - ucl_object_fromstring (pk_id_encoded), - "id", 0, false); + if (sign) { + type = RSPAMD_KEYPAIR_SIGN; + } - ucl_object_insert_key (elt, - ucl_object_fromstring (encoding), - "encoding", 0, false); + kp = rspamd_keypair_new (type, mode); - ucl_object_insert_key (elt, - ucl_object_fromstring (openssl ? "nistp256" : "curve25519"), - "algorithm", 0, false); - ucl_object_insert_key (elt, - ucl_object_fromstring ("sign"), - "type", 0, false); + if (ucl) { + ucl_out = rspamd_keypair_to_ucl (kp, hex_encode); + ucl_emit_subr = ucl_object_emit_file_funcs (stdout); + ucl_object_emit_full (ucl_out, UCL_EMIT_CONFIG, ucl_emit_subr); + ucl_object_emit_funcs_free (ucl_emit_subr); + ucl_object_unref (ucl_out); + } + else { + how |= RSPAMD_KEYPAIR_PUBKEY | RSPAMD_KEYPAIR_PRIVKEY; - ucl_emit_subr = ucl_object_emit_file_funcs (stdout); - ucl_object_emit_full (ucl_out, UCL_EMIT_CONFIG, ucl_emit_subr); - ucl_object_emit_funcs_free (ucl_emit_subr); - ucl_object_unref (ucl_out); + if (!raw) { + how |= RSPAMD_KEYPAIR_HUMAN|RSPAMD_KEYPAIR_ID; } - else { - rspamd_printf ("Public key: %s\nPrivate key: %s\nKey ID: %s\n", - sig_pk_encoded, - sig_sk_encoded, - pk_id_encoded); - } - - rspamd_explicit_memzero (sig_sk, rspamd_cryptobox_sk_sig_bytes ()); - rspamd_explicit_memzero (sig_sk_encoded, strlen (sig_sk_encoded)); - g_free (sig_pk); - g_free (sig_sk); - g_free (sig_pk_encoded); - g_free (sig_sk_encoded); - g_free (pk_id_encoded); + out = rspamd_keypair_print (kp, how); + rspamd_printf ("%v", kp); + g_string_free (out, TRUE); } + + rspamd_keypair_unref (kp); } diff --git a/src/rspamadm/signtool.c b/src/rspamadm/signtool.c index c63c16090..8c9d9e705 100644 --- a/src/rspamadm/signtool.c +++ b/src/rspamadm/signtool.c @@ -19,7 +19,7 @@ #include "cryptobox.h" #include "printf.h" #include "ucl.h" -#include "keypair_private.h" +#include "libcryptobox/keypair.h" #include "libutil/str_util.h" #include "libutil/util.h" #include "unix-std.h" @@ -31,6 +31,7 @@ static gchar *suffix = NULL; static gchar *pubkey_file = NULL; static gchar *pubkey = NULL; static gchar *keypair_file = NULL; +enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519; static void rspamadm_signtool (gint argc, gchar **argv); static const char *rspamadm_signtool_help (gboolean full_help); @@ -127,10 +128,11 @@ rspamadm_sign_file (const gchar *fname, const guchar *sk) exit (errno); } - g_assert (rspamd_cryptobox_MAX_SIGBYTES >= rspamd_cryptobox_signature_bytes ()); + g_assert (rspamd_cryptobox_MAX_SIGBYTES >= + rspamd_cryptobox_signature_bytes (mode)); - rspamd_cryptobox_sign (sig, NULL, map, st.st_size, sk); - write (fd_sig, sig, rspamd_cryptobox_signature_bytes ()); + rspamd_cryptobox_sign (sig, NULL, map, st.st_size, sk, mode); + write (fd_sig, sig, rspamd_cryptobox_signature_bytes (mode)); close (fd_sig); munmap (map, st.st_size); @@ -151,7 +153,8 @@ rspamadm_verify_file (const gchar *fname, const guchar *pk) struct stat st, st_sig; bool ret; - g_assert (rspamd_cryptobox_MAX_SIGBYTES >= rspamd_cryptobox_signature_bytes ()); + g_assert (rspamd_cryptobox_MAX_SIGBYTES >= + rspamd_cryptobox_signature_bytes (mode)); if (suffix == NULL) { suffix = ".sig"; @@ -189,7 +192,7 @@ rspamadm_verify_file (const gchar *fname, const guchar *pk) g_assert (fstat (fd_sig, &st_sig) != -1); - if (st_sig.st_size != rspamd_cryptobox_signature_bytes ()) { + if (st_sig.st_size != rspamd_cryptobox_signature_bytes (mode)) { close (fd_sig); rspamd_fprintf (stderr, "invalid signature size %s: %ud\n", fname, (guint)st_sig.st_size); @@ -207,7 +210,7 @@ rspamadm_verify_file (const gchar *fname, const guchar *pk) exit (errno); } - ret = rspamd_cryptobox_verify (map_sig, map, st.st_size, pk); + ret = rspamd_cryptobox_verify (map_sig, map, st.st_size, pk, mode); munmap (map, st.st_size); munmap (map_sig, st_sig.st_size); @@ -231,9 +234,9 @@ rspamadm_signtool (gint argc, gchar **argv) GError *error = NULL; struct ucl_parser *parser; ucl_object_t *top; - const ucl_object_t *elt; - guchar *pk, *sk; - gsize fsize, flen, klen; + struct rspamd_cryptobox_pubkey *pk; + struct rspamd_cryptobox_keypair *kp; + gsize fsize, flen; gint i; context = g_option_context_new ( @@ -252,10 +255,7 @@ rspamadm_signtool (gint argc, gchar **argv) } if (openssl) { - if (!rspamd_cryptobox_openssl_mode (TRUE)) { - rspamd_fprintf (stderr, "cannot enable openssl mode (incompatible openssl)\n"); - exit (1); - } + mode = RSPAMD_CRYPTOBOX_MODE_NIST; } if (verify && (!pubkey && !pubkey_file)) { @@ -300,29 +300,32 @@ rspamadm_signtool (gint argc, gchar **argv) flen --; } - pk = rspamd_decode_base32 (map, flen, &klen); + pk = rspamd_pubkey_from_base32 (map, flen, + RSPAMD_KEYPAIR_SIGN, mode); - if (klen != rspamd_cryptobox_pk_sig_bytes () || pk == NULL) { - rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", klen, - rspamd_cryptobox_pk_sig_bytes ()); + if (pk == NULL) { + rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", flen, + rspamd_cryptobox_pk_sig_bytes (mode)); exit (errno); } munmap (map, fsize); } else { - pk = rspamd_decode_base32 (pubkey, strlen (pubkey), &klen); + pk = rspamd_pubkey_from_base32 (pubkey, strlen (pubkey), + RSPAMD_KEYPAIR_SIGN, mode); - if (klen != rspamd_cryptobox_pk_sig_bytes () || pk == NULL) { - rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", klen, - rspamd_cryptobox_pk_sig_bytes ()); + if (pk == NULL) { + rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", + strlen (pubkey), + rspamd_cryptobox_pk_sig_bytes (mode)); exit (errno); } } for (i = 1; i < argc; i++) { /* XXX: support cmd line signature */ - if (!rspamadm_verify_file (argv[i], pk)) { + if (!rspamadm_verify_file (argv[i], rspamd_pubkey_get_pk (pk, NULL))) { exit (EXIT_FAILURE); } } @@ -343,44 +346,17 @@ rspamadm_signtool (gint argc, gchar **argv) ucl_parser_free (parser); - /* XXX: add generic routine to parse all keypair types */ - elt = ucl_object_find_key (top, "keypair"); - - /* XXX: add secure cleanup */ - if (elt == NULL || ucl_object_type (elt) != UCL_OBJECT) { - rspamd_fprintf (stderr, "cannot load keypair: absent keypair\n"); - ucl_object_unref (top); - exit (EINVAL); - } - - elt = ucl_object_find_key (elt, "privkey"); - - if (elt == NULL || ucl_object_type (elt) != UCL_STRING) { - rspamd_fprintf (stderr, "cannot load keypair: absent privkey\n"); - ucl_object_unref (top); - exit (EINVAL); - } - - sk = rspamd_decode_base32 (ucl_object_tostring (elt), - elt->len, &klen); - ucl_object_unref (top); - - if (klen != rspamd_cryptobox_sk_sig_bytes () || sk == NULL) { - rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", - ucl_object_tostring (elt),klen, - rspamd_cryptobox_sk_sig_bytes ()); - exit (errno); - } + kp = rspamd_keypair_from_ucl (top); for (i = 1; i < argc; i++) { /* XXX: support cmd line signature */ - if (!rspamadm_sign_file (argv[i], sk)) { - rspamd_explicit_memzero (sk, klen); + if (!rspamadm_sign_file (argv[i], rspamd_keypair_component ( + kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL))) { + rspamd_keypair_unref (kp); exit (EXIT_FAILURE); } } - rspamd_explicit_memzero (sk, klen); - g_free (sk); + rspamd_keypair_unref (kp); } } |