Fix rspamadm

2 files changed, 63 insertions, 209 deletions

diff --git a/src/rspamadm/keypair.c b/src/rspamadm/keypair.c
index 8f2f494de..2cfbee972 100644
--- a/src/rspamadm/keypair.c
+++ b/src/rspamadm/keypair.c
@@ -19,7 +19,7 @@
 #include "printf.h"
 #include "http.h"
 #include "ucl.h"
-#include "keypair_private.h"
+#include "libcryptobox/keypair.h"
 #include "libutil/str_util.h"
 
 static gboolean hex_encode = FALSE;
@@ -80,15 +80,13 @@ rspamadm_keypair (gint argc, gchar **argv)
 {
 	GOptionContext *context;
 	GError *error = NULL;
-	gpointer keypair;
-	GString *keypair_out;
-	gint how;
-	ucl_object_t *ucl_out, *elt;
+	struct rspamd_cryptobox_keypair *kp;
+	gint how = 0;
+	ucl_object_t *ucl_out;
 	struct ucl_emitter_functions *ucl_emit_subr;
-	guchar *sig_sk, *sig_pk;
-	gchar *sig_sk_encoded, *sig_pk_encoded, *pk_id_encoded;
-	guchar kh[rspamd_cryptobox_HASHBYTES];
-	const gchar *encoding;
+	GString *out;
+	enum rspamd_cryptobox_keypair_type type = RSPAMD_KEYPAIR_KEX;
+	enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519;
 
 	context = g_option_context_new (
 			"keypair - create encryption keys");
@@ -106,159 +104,39 @@ rspamadm_keypair (gint argc, gchar **argv)
 	}
 
 	if (openssl) {
-		if (!rspamd_cryptobox_openssl_mode (TRUE)) {
-			fprintf (stderr, "cannot enable openssl mode (incompatible openssl)\n");
-			exit (1);
-		}
+		mode = RSPAMD_CRYPTOBOX_MODE_NIST;
 	}
-
-	if (!sign) {
-		keypair = rspamd_http_connection_gen_key ();
-		if (keypair == NULL) {
-			exit (EXIT_FAILURE);
-		}
-
-		how = 0;
-
-		if (hex_encode) {
-			how |= RSPAMD_KEYPAIR_HEX;
-			encoding = "hex";
-		}
-		else {
-			how |= RSPAMD_KEYPAIR_BASE32;
-			encoding = "base32";
-		}
-
-		if (ucl) {
-			ucl_out = ucl_object_typed_new (UCL_OBJECT);
-			elt = ucl_object_typed_new (UCL_OBJECT);
-			ucl_object_insert_key (ucl_out, elt, "keypair", 0, false);
-
-			/* pubkey part */
-			keypair_out = rspamd_http_connection_print_key (keypair,
-					RSPAMD_KEYPAIR_PUBKEY|how);
-			ucl_object_insert_key (elt,
-					ucl_object_fromlstring (keypair_out->str, keypair_out->len),
-					"pubkey", 0, false);
-			g_string_free (keypair_out, TRUE);
-
-			/* privkey part */
-			keypair_out = rspamd_http_connection_print_key (keypair,
-					RSPAMD_KEYPAIR_PRIVKEY|how);
-			ucl_object_insert_key (elt,
-					ucl_object_fromlstring (keypair_out->str, keypair_out->len),
-					"privkey", 0, false);
-			g_string_free (keypair_out, TRUE);
-
-			keypair_out = rspamd_http_connection_print_key (keypair,
-					RSPAMD_KEYPAIR_ID|how);
-			ucl_object_insert_key (elt,
-					ucl_object_fromlstring (keypair_out->str, keypair_out->len),
-					"id", 0, false);
-			ucl_object_insert_key (elt,
-					ucl_object_fromstring (encoding),
-					"encoding", 0, false);
-			ucl_object_insert_key (elt,
-					ucl_object_fromstring (openssl ? "nistp256" : "curve25519"),
-					"algorithm", 0, false);
-			ucl_object_insert_key (elt,
-					ucl_object_fromstring ("kex"),
-					"type", 0, false);
-
-			ucl_emit_subr = ucl_object_emit_file_funcs (stdout);
-			ucl_object_emit_full (ucl_out, UCL_EMIT_CONFIG, ucl_emit_subr);
-			ucl_object_emit_funcs_free (ucl_emit_subr);
-			ucl_object_unref (ucl_out);
-		}
-		else {
-			how |= RSPAMD_KEYPAIR_PUBKEY | RSPAMD_KEYPAIR_PRIVKEY;
-
-			if (!raw) {
-				how |= RSPAMD_KEYPAIR_HUMAN|RSPAMD_KEYPAIR_ID;
-			}
-
-			keypair_out = rspamd_http_connection_print_key (keypair, how);
-			rspamd_printf ("%v", keypair_out);
-		}
-
-		rspamd_http_connection_key_unref (keypair);
-		rspamd_explicit_memzero (keypair_out->str, keypair_out->len);
-		g_string_free (keypair_out, TRUE);
+	if (hex_encode) {
+		how |= RSPAMD_KEYPAIR_HEX;
 	}
 	else {
-		sig_sk = g_malloc (rspamd_cryptobox_sk_sig_bytes ());
-		sig_pk = g_malloc (rspamd_cryptobox_pk_sig_bytes ());
-
-		rspamd_cryptobox_keypair_sig (sig_pk, sig_sk);
-		rspamd_cryptobox_hash (kh, sig_pk, rspamd_cryptobox_pk_sig_bytes (),
-							NULL, 0);
-
-		if (hex_encode) {
-			encoding = "hex";
-			sig_pk_encoded = rspamd_encode_hex (sig_pk,
-					rspamd_cryptobox_pk_sig_bytes ());
-			sig_sk_encoded = rspamd_encode_hex (sig_sk,
-					rspamd_cryptobox_sk_sig_bytes ());
-			pk_id_encoded = rspamd_encode_hex (kh, sizeof (kh));
-		}
-		else {
-			encoding = "base32";
-			sig_pk_encoded = rspamd_encode_base32 (sig_pk,
-					rspamd_cryptobox_pk_sig_bytes ());
-			sig_sk_encoded = rspamd_encode_base32 (sig_sk,
-					rspamd_cryptobox_sk_sig_bytes ());
-			pk_id_encoded = rspamd_encode_base32 (kh, sizeof (kh));
-		}
-
-		if (ucl) {
-			ucl_out = ucl_object_typed_new (UCL_OBJECT);
-			elt = ucl_object_typed_new (UCL_OBJECT);
-			ucl_object_insert_key (ucl_out, elt, "keypair", 0, false);
-
-			/* pubkey part */
-			ucl_object_insert_key (elt,
-					ucl_object_fromstring (sig_pk_encoded),
-					"pubkey", 0, false);
-
-			/* privkey part */
-			ucl_object_insert_key (elt,
-					ucl_object_fromstring (sig_sk_encoded),
-					"privkey", 0, false);
+		how |= RSPAMD_KEYPAIR_BASE32;
+	}
 
-			ucl_object_insert_key (elt,
-					ucl_object_fromstring (pk_id_encoded),
-					"id", 0, false);
+	if (sign) {
+		type = RSPAMD_KEYPAIR_SIGN;
+	}
 
-			ucl_object_insert_key (elt,
-					ucl_object_fromstring (encoding),
-					"encoding", 0, false);
+	kp = rspamd_keypair_new (type, mode);
 
-			ucl_object_insert_key (elt,
-					ucl_object_fromstring (openssl ? "nistp256" : "curve25519"),
-					"algorithm", 0, false);
-			ucl_object_insert_key (elt,
-					ucl_object_fromstring ("sign"),
-					"type", 0, false);
+	if (ucl) {
+		ucl_out = rspamd_keypair_to_ucl (kp, hex_encode);
+		ucl_emit_subr = ucl_object_emit_file_funcs (stdout);
+		ucl_object_emit_full (ucl_out, UCL_EMIT_CONFIG, ucl_emit_subr);
+		ucl_object_emit_funcs_free (ucl_emit_subr);
+		ucl_object_unref (ucl_out);
+	}
+	else {
+		how |= RSPAMD_KEYPAIR_PUBKEY | RSPAMD_KEYPAIR_PRIVKEY;
 
-			ucl_emit_subr = ucl_object_emit_file_funcs (stdout);
-			ucl_object_emit_full (ucl_out, UCL_EMIT_CONFIG, ucl_emit_subr);
-			ucl_object_emit_funcs_free (ucl_emit_subr);
-			ucl_object_unref (ucl_out);
+		if (!raw) {
+			how |= RSPAMD_KEYPAIR_HUMAN|RSPAMD_KEYPAIR_ID;
 		}
-		else {
-			rspamd_printf ("Public key: %s\nPrivate key: %s\nKey ID: %s\n",
-					sig_pk_encoded,
-					sig_sk_encoded,
-					pk_id_encoded);
-		}
-
-		rspamd_explicit_memzero (sig_sk, rspamd_cryptobox_sk_sig_bytes ());
-		rspamd_explicit_memzero (sig_sk_encoded, strlen (sig_sk_encoded));
 
-		g_free (sig_pk);
-		g_free (sig_sk);
-		g_free (sig_pk_encoded);
-		g_free (sig_sk_encoded);
-		g_free (pk_id_encoded);
+		out = rspamd_keypair_print (kp, how);
+		rspamd_printf ("%v", kp);
+		g_string_free (out, TRUE);
 	}
+
+	rspamd_keypair_unref (kp);
 }
diff --git a/src/rspamadm/signtool.c b/src/rspamadm/signtool.c
index c63c16090..8c9d9e705 100644
--- a/src/rspamadm/signtool.c
+++ b/src/rspamadm/signtool.c
@@ -19,7 +19,7 @@
 #include "cryptobox.h"
 #include "printf.h"
 #include "ucl.h"
-#include "keypair_private.h"
+#include "libcryptobox/keypair.h"
 #include "libutil/str_util.h"
 #include "libutil/util.h"
 #include "unix-std.h"
@@ -31,6 +31,7 @@ static gchar *suffix = NULL;
 static gchar *pubkey_file = NULL;
 static gchar *pubkey = NULL;
 static gchar *keypair_file = NULL;
+enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519;
 
 static void rspamadm_signtool (gint argc, gchar **argv);
 static const char *rspamadm_signtool_help (gboolean full_help);
@@ -127,10 +128,11 @@ rspamadm_sign_file (const gchar *fname, const guchar *sk)
 		exit (errno);
 	}
 
-	g_assert (rspamd_cryptobox_MAX_SIGBYTES >= rspamd_cryptobox_signature_bytes ());
+	g_assert (rspamd_cryptobox_MAX_SIGBYTES >=
+			rspamd_cryptobox_signature_bytes (mode));
 
-	rspamd_cryptobox_sign (sig, NULL, map, st.st_size, sk);
-	write (fd_sig, sig, rspamd_cryptobox_signature_bytes ());
+	rspamd_cryptobox_sign (sig, NULL, map, st.st_size, sk, mode);
+	write (fd_sig, sig, rspamd_cryptobox_signature_bytes (mode));
 	close (fd_sig);
 	munmap (map, st.st_size);
 
@@ -151,7 +153,8 @@ rspamadm_verify_file (const gchar *fname, const guchar *pk)
 	struct stat st, st_sig;
 	bool ret;
 
-	g_assert (rspamd_cryptobox_MAX_SIGBYTES >= rspamd_cryptobox_signature_bytes ());
+	g_assert (rspamd_cryptobox_MAX_SIGBYTES >=
+			rspamd_cryptobox_signature_bytes (mode));
 
 	if (suffix == NULL) {
 		suffix = ".sig";
@@ -189,7 +192,7 @@ rspamadm_verify_file (const gchar *fname, const guchar *pk)
 
 	g_assert (fstat (fd_sig, &st_sig) != -1);
 
-	if (st_sig.st_size != rspamd_cryptobox_signature_bytes ()) {
+	if (st_sig.st_size != rspamd_cryptobox_signature_bytes (mode)) {
 		close (fd_sig);
 		rspamd_fprintf (stderr, "invalid signature size %s: %ud\n", fname,
 				(guint)st_sig.st_size);
@@ -207,7 +210,7 @@ rspamadm_verify_file (const gchar *fname, const guchar *pk)
 		exit (errno);
 	}
 
-	ret = rspamd_cryptobox_verify (map_sig, map, st.st_size, pk);
+	ret = rspamd_cryptobox_verify (map_sig, map, st.st_size, pk, mode);
 	munmap (map, st.st_size);
 	munmap (map_sig, st_sig.st_size);
 
@@ -231,9 +234,9 @@ rspamadm_signtool (gint argc, gchar **argv)
 	GError *error = NULL;
 	struct ucl_parser *parser;
 	ucl_object_t *top;
-	const ucl_object_t *elt;
-	guchar *pk, *sk;
-	gsize fsize, flen, klen;
+	struct rspamd_cryptobox_pubkey *pk;
+	struct rspamd_cryptobox_keypair *kp;
+	gsize fsize, flen;
 	gint i;
 
 	context = g_option_context_new (
@@ -252,10 +255,7 @@ rspamadm_signtool (gint argc, gchar **argv)
 	}
 
 	if (openssl) {
-		if (!rspamd_cryptobox_openssl_mode (TRUE)) {
-			rspamd_fprintf (stderr, "cannot enable openssl mode (incompatible openssl)\n");
-			exit (1);
-		}
+		mode = RSPAMD_CRYPTOBOX_MODE_NIST;
 	}
 
 	if (verify && (!pubkey && !pubkey_file)) {
@@ -300,29 +300,32 @@ rspamadm_signtool (gint argc, gchar **argv)
 				flen --;
 			}
 
-			pk = rspamd_decode_base32 (map, flen, &klen);
+			pk = rspamd_pubkey_from_base32 (map, flen,
+					RSPAMD_KEYPAIR_SIGN, mode);
 
-			if (klen != rspamd_cryptobox_pk_sig_bytes () || pk == NULL) {
-				rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", klen,
-						 rspamd_cryptobox_pk_sig_bytes ());
+			if (pk == NULL) {
+				rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", flen,
+						 rspamd_cryptobox_pk_sig_bytes (mode));
 				exit (errno);
 			}
 
 			munmap (map, fsize);
 		}
 		else {
-			pk = rspamd_decode_base32 (pubkey, strlen (pubkey), &klen);
+			pk = rspamd_pubkey_from_base32 (pubkey, strlen (pubkey),
+								RSPAMD_KEYPAIR_SIGN, mode);
 
-			if (klen != rspamd_cryptobox_pk_sig_bytes () || pk == NULL) {
-				rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n", klen,
-						rspamd_cryptobox_pk_sig_bytes ());
+			if (pk == NULL) {
+				rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n",
+						strlen (pubkey),
+						rspamd_cryptobox_pk_sig_bytes (mode));
 				exit (errno);
 			}
 		}
 
 		for (i = 1; i < argc; i++) {
 			/* XXX: support cmd line signature */
-			if (!rspamadm_verify_file (argv[i], pk)) {
+			if (!rspamadm_verify_file (argv[i], rspamd_pubkey_get_pk (pk, NULL))) {
 				exit (EXIT_FAILURE);
 			}
 		}
@@ -343,44 +346,17 @@ rspamadm_signtool (gint argc, gchar **argv)
 
 		ucl_parser_free (parser);
 
-		/* XXX: add generic routine to parse all keypair types */
-		elt = ucl_object_find_key (top, "keypair");
-
-		/* XXX: add secure cleanup */
-		if (elt == NULL || ucl_object_type (elt) != UCL_OBJECT) {
-			rspamd_fprintf (stderr, "cannot load keypair: absent keypair\n");
-			ucl_object_unref (top);
-			exit (EINVAL);
-		}
-
-		elt = ucl_object_find_key (elt, "privkey");
-
-		if (elt == NULL || ucl_object_type (elt) != UCL_STRING) {
-			rspamd_fprintf (stderr, "cannot load keypair: absent privkey\n");
-			ucl_object_unref (top);
-			exit (EINVAL);
-		}
-
-		sk = rspamd_decode_base32 (ucl_object_tostring (elt),
-				elt->len, &klen);
-		ucl_object_unref (top);
-
-		if (klen != rspamd_cryptobox_sk_sig_bytes () || sk == NULL) {
-			rspamd_fprintf (stderr, "bad size %s: %ud, %ud expected\n",
-					ucl_object_tostring (elt),klen,
-					rspamd_cryptobox_sk_sig_bytes ());
-			exit (errno);
-		}
+		kp = rspamd_keypair_from_ucl (top);
 
 		for (i = 1; i < argc; i++) {
 			/* XXX: support cmd line signature */
-			if (!rspamadm_sign_file (argv[i], sk)) {
-				rspamd_explicit_memzero (sk, klen);
+			if (!rspamadm_sign_file (argv[i], rspamd_keypair_component (
+					kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL))) {
+				rspamd_keypair_unref (kp);
 				exit (EXIT_FAILURE);
 			}
 		}
 
-		rspamd_explicit_memzero (sk, klen);
-		g_free (sk);
+		rspamd_keypair_unref (kp);
 	}
 }