Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/agc-netpgp-standalone]: src/crypto/external/bsd/netpgp Replace the netpg...
details: https://anonhg.NetBSD.org/src/rev/6ffc9fede7f9
branches: agc-netpgp-standalone
changeset: 777812:6ffc9fede7f9
user: agc <agc%NetBSD.org@localhost>
date: Sat Oct 20 04:59:52 2012 +0000
description:
Replace the netpgpverify command and libnetpgpverify in the
agc-netpgp-standalone branch with a completely rewritten "from the RFC
up" version designed to be small, standalone, and easy to maintain.
% ldd bin/netpgpverify/netpgpverify
bin/netpgpverify/netpgpverify:
-lz.1 => /usr/lib/libz.so.1
-lgcc_s.1 => /usr/lib/libgcc_s.so.1
-lc.12 => /usr/lib/libc.so.12
-lbz2.1 => /usr/lib/libbz2.so.1
-lnetpgpverify.4 => /usr/lib/libnetpgpverify.so.4
% ldd lib/verify/libnetpgpverify.so
lib/verify/libnetpgpverify.so:
-lc.12 => /usr/lib/libc.so.12
% ls -al lib/verify/libnetpgpverify* bin/netpgpverify/netpgpverify
-rwxr-xr-x 1 agc agc 10502 Oct 18 20:59 bin/netpgpverify/netpgpverify
-rw-r--r-- 1 agc agc 159720 Oct 18 20:59 lib/verify/libnetpgpverify.a
-rw-r--r-- 1 agc agc 4822 Oct 18 20:59 lib/verify/libnetpgpverify.html3
lrwxr-xr-x 1 agc agc 22 Oct 18 20:59 lib/verify/libnetpgpverify.so -> libnetpgpverify.so.4.0
lrwxr-xr-x 1 agc agc 22 Oct 18 20:59 lib/verify/libnetpgpverify.so.4 -> libnetpgpverify.so.4.0
-rwxr-xr-x 1 agc agc 123069 Oct 18 20:59 lib/verify/libnetpgpverify.so.4.0
-rw-r--r-- 1 agc agc 169696 Oct 18 20:59 lib/verify/libnetpgpverify_p.a
-rw-r--r-- 1 agc agc 149968 Oct 18 20:59 lib/verify/libnetpgpverify_pic.a
%
("Small" here includes the full BIGNUM/mpi functionality required to
verify signatures).
Instead of using extensive callbacks for input data, which have proved
to be fragile and difficult to maintain, as well as precluding uses
elsewhere, this uses straight mmaping of input files where possible,
and falls back to reading if unavailable.
RFC 4880 makes provision for two types of data to be signed, binary
data and text, and text is subject to modification of data before the
signature is made, and is usually opaque. The new netpgpverify(1) can
handle this, our old version could not. DSA signatures are not yet
supported -- watch this space -- but full RSA ones, including those of
text documents like the signed NetBSD release hashes (see PR
bin/46930) are recognised and are included in the regression tests.
% env LD_LIBRARY_PATH=../../lib/verify ./netpgpverify < NetBSD-6.0_hashes.asc
Good signature for [stdin] made Mon Oct 15 09:28:54 2012
signature 4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23
fingerprint: ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e
uid NetBSD Security Officer <security-officer%NetBSD.org@localhost>
encryption 4096/RSA (Encrypt or Sign) 9ff2c24fdf2ce620 2009-06-23 [Expiry 2019-06-21]
fingerprint: 1915 0801 fbd8 f45d 89f2 0205 9ff2 c24f df2c e620
%
Redirection from stdin is also supported, as are multiple files, and
detached signatures. Another interesting use is to verify the
signatures, and to retrieve the data only if a signature matches -
this was the old "--cat" command to netpgpverify(1), and it has been
brought forward into the newer version.
% env LD_LIBRARY_PATH=../../lib/verify ./netpgpverify -c cat det.sig | diff det -
%
This is implemented as a library and a small program to call so
that it is easier to embed verification of signatures in scripting
languages, or other source code.
diffstat:
crypto/external/bsd/netpgp/bin/netpgp/Makefile | 6 +-
crypto/external/bsd/netpgp/bin/netpgpverify/Makefile | 119 +-
crypto/external/bsd/netpgp/bin/pgp2ssh/Makefile | 6 +-
crypto/external/bsd/netpgp/dist/include/netpgp.h | 2 +
crypto/external/bsd/netpgp/dist/src/lib/validate.c | 4 +-
crypto/external/bsd/netpgp/dist/src/librsa/rsa.c | 84 +
crypto/external/bsd/netpgp/dist/src/librsa/rsa.h | 1 +
crypto/external/bsd/netpgp/dist/src/libverify/Makefile | 77 +-
crypto/external/bsd/netpgp/dist/src/libverify/array.h | 82 +
crypto/external/bsd/netpgp/dist/src/libverify/b64.c | 349 +
crypto/external/bsd/netpgp/dist/src/libverify/b64.h | 32 +
crypto/external/bsd/netpgp/dist/src/libverify/dump.c | 88 +
crypto/external/bsd/netpgp/dist/src/libverify/libnetpgpverify.3 | 100 +-
crypto/external/bsd/netpgp/dist/src/libverify/libverify.c | 2068 ++++++++++
crypto/external/bsd/netpgp/dist/src/libverify/pgpsum.c | 182 +
crypto/external/bsd/netpgp/dist/src/libverify/pgpsum.h | 35 +
crypto/external/bsd/netpgp/dist/src/libverify/verify.h | 240 +-
crypto/external/bsd/netpgp/dist/src/netpgpverify/main.c | 160 +
crypto/external/bsd/netpgp/dist/src/netpgpverify/netpgpverify.1 | 125 +-
crypto/external/bsd/netpgp/dist/src/netpgpverify/verify.c | 361 -
crypto/external/bsd/netpgp/lib/Makefile | 4 +-
crypto/external/bsd/netpgp/lib/bn/Makefile | 4 +-
crypto/external/bsd/netpgp/lib/bn/shlib_version | 2 +-
crypto/external/bsd/netpgp/lib/cipher/shlib_version | 2 +-
crypto/external/bsd/netpgp/lib/mj/shlib_version | 2 +-
crypto/external/bsd/netpgp/lib/netpgp/shlib_version | 2 +-
crypto/external/bsd/netpgp/lib/paa/shlib_version | 2 +-
crypto/external/bsd/netpgp/lib/rsa/shlib_version | 2 +-
crypto/external/bsd/netpgp/lib/verify/Makefile | 16 +-
crypto/external/bsd/netpgp/lib/verify/shlib_version | 2 +-
30 files changed, 3622 insertions(+), 537 deletions(-)
diffs (truncated from 4465 to 300 lines):
diff -r 7df8e6324efe -r 6ffc9fede7f9 crypto/external/bsd/netpgp/bin/netpgp/Makefile
--- a/crypto/external/bsd/netpgp/bin/netpgp/Makefile Sat Oct 20 04:54:40 2012 +0000
+++ b/crypto/external/bsd/netpgp/bin/netpgp/Makefile Sat Oct 20 04:59:52 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.1.2.1 2012/05/06 17:57:11 agc Exp $
+# $NetBSD: Makefile,v 1.1.2.2 2012/10/20 04:59:52 agc Exp $
.include <bsd.own.mk>
@@ -23,6 +23,10 @@
LDADD+= -L${LIBNETRSADIR} -lnetpgprsa
DPADD+= ${LIBNETRSADIR}/libnetpgprsa.a
+LIBNETDIGESTDIR!= cd ${.CURDIR}/../../lib/digest && ${PRINTOBJDIR}
+LDADD+= -L${LIBNETDIGESTDIR} -lnetpgpdigest
+DPADD+= ${LIBNETDIGESTDIR}/libnetpgpdigest.a
+
LIBNETBNDIR!= cd ${.CURDIR}/../../lib/bn && ${PRINTOBJDIR}
LDADD+= -L${LIBNETBNDIR} -lnetpgpbn
DPADD+= ${LIBNETBNDIR}/libnetpgpbn.a
diff -r 7df8e6324efe -r 6ffc9fede7f9 crypto/external/bsd/netpgp/bin/netpgpverify/Makefile
--- a/crypto/external/bsd/netpgp/bin/netpgpverify/Makefile Sat Oct 20 04:54:40 2012 +0000
+++ b/crypto/external/bsd/netpgp/bin/netpgpverify/Makefile Sat Oct 20 04:59:52 2012 +0000
@@ -1,47 +1,90 @@
-# $NetBSD: Makefile,v 1.1.2.1 2012/05/06 17:57:11 agc Exp $
+# $NetBSD: Makefile,v 1.1.2.2 2012/10/20 04:59:52 agc Exp $
.include <bsd.own.mk>
-PROG= netpgpverify
-BINDIR= /usr/bin
-SRCS= verify.c
-
-CPPFLAGS+= -I${EXTDIST}/include -I${.CURDIR}/../../lib/netpgp
-CPPFLAGS+= -I${EXTDIST}/src/libbn
-CPPFLAGS+= -I${EXTDIST}/src/librsa
+PROG=netpgpverify
+SRCS+=main.c
+WARNS=5
+MAN=netpgpverify.1
+LDADD+=-lz
+LDADD+=-lbz2
+LDADD+=-lnetpgpverify
-LIBNETPGPDIR!= cd ${.CURDIR}/../../lib/netpgp && ${PRINTOBJDIR}
-LDADD+= -L${LIBNETPGPDIR} -lnetpgp
-DPADD+= ${LIBNETPGPDIR}/libnetpgp.a
-
-LIBNETPGPVERIFYDIR!= cd ${.CURDIR}/../../lib/verify && ${PRINTOBJDIR}
-LDADD+= -L${LIBNETPGPVERIFYDIR} -lnetpgpverify
-DPADD+= ${LIBNETPGPVERIFYDIR}/libnetpgpverify.a
-
-LIBNETCIPHERDIR!= cd ${.CURDIR}/../../lib/cipher && ${PRINTOBJDIR}
-LDADD+= -L${LIBNETCIPHERDIR} -lnetpgpcipher
-DPADD+= ${LIBNETCIPHERDIR}/libnetpgpcipher.a
+CPPFLAGS+=-I${EXTDIST}/libverify
-LIBNETRSADIR!= cd ${.CURDIR}/../../lib/rsa && ${PRINTOBJDIR}
-LDADD+= -L${LIBNETRSADIR} -lnetpgprsa
-DPADD+= ${LIBNETRSADIR}/libnetpgprsa.a
-
-LIBNETBNDIR!= cd ${.CURDIR}/../../lib/bn && ${PRINTOBJDIR}
-LDADD+= -L${LIBNETBNDIR} -lnetpgpbn
-DPADD+= ${LIBNETBNDIR}/libnetpgpbn.a
+# XXX - debugging
+#CPPFLAGS+=-g -O0
+#LDFLAGS+=-g -O0
+#CPPFLAGS+=-O3
+#LDFLAGS+=-O3
-LIBMJDIR!= cd ${.CURDIR}/../../lib/mj && ${PRINTOBJDIR}
-LDADD+= -L${LIBMJDIR} -lmj
-DPADD+= ${LIBMJDIR}/libmj.a
-
-LDADD+= -lz -lbz2
-DPADD+= ${LIBZ} ${LIBBZ2}
+LIBNETPGPVERIFYDIR!= cd ${.CURDIR}/../../lib/verify && ${PRINTOBJDIR}
+LDADD+= -L${LIBNETPGPVERIFYDIR} -lnetpgpverify
+DPADD+= ${LIBNETPGPVERIFYDIR}/libnetpgpverify.a
-MAN= netpgpverify.1
-
-WARNS= 4
-
-EXTDIST= ${.CURDIR}/../../dist
-.PATH: ${EXTDIST}/src/netpgpverify ${EXTDIST}/src/libnetpgp
+EXTDIST= ${.CURDIR}/../../dist/src
+.PATH: ${EXTDIST}/netpgpverify
.include <bsd.prog.mk>
+
+t: ${PROG}
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} -c verify b.gpg > output16
+ diff expected16 output16
+ rm -f output16
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} -c verify a.gpg > output17
+ diff expected17 output17
+ rm -f output17
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} -c verify gpgsigned-a.gpg > output18
+ diff expected18 output18
+ rm -f output18
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} -c verify NetBSD-6.0_RC2_hashes.asc > output19
+ diff expected19 output19
+ rm -f output19
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} -c cat jj.asc > output20
+ diff expected20 output20
+ rm -f output20
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} < a.gpg > output21
+ diff expected21 output21
+ rm -f output21
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} < jj.asc > output22
+ diff expected22 output22
+ rm -f output22
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} < NetBSD-6.0_RC2_hashes.asc > output23
+ diff expected23 output23
+ rm -f output23
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} < b.gpg > output24
+ diff expected24 output24
+ rm -f output24
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} NetBSD-6.0_RC1_hashes.gpg > output25
+ diff expected25 output25
+ rm -f output25
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} < NetBSD-6.0_RC1_hashes.gpg > output26
+ diff expected26 output26
+ rm -f output26
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} < NetBSD-6.0_hashes.asc > output27
+ diff expected27 output27
+ rm -f output27
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} NetBSD-6.0_hashes.asc > output28
+ diff expected28 output28
+ rm -f output28
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} NetBSD-6.0_RC1_hashes_ascii.gpg > output29
+ diff expected29 output29
+ rm -f output29
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} < NetBSD-6.0_RC1_hashes_ascii.gpg > output30
+ diff expected30 output30
+ rm -f output30
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} -c cat b.gpg b.gpg b.gpg > output31
+ diff expected31 output31
+ rm -f output31
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} b.gpg b.gpg b.gpg > output32
+ diff expected32 output32
+ rm -f output32
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} -c cat b.gpg jj.asc b.gpg > output33
+ diff expected33 output33
+ rm -f output33
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} det.sig > output34
+ diff expected34 output34
+ rm -f output34
+ env LD_LIBRARY_PATH=${LIBNETPGPVERIFYDIR} ./${PROG} -c cat det.sig > output35
+ diff expected35 output35
+ rm -f output35
diff -r 7df8e6324efe -r 6ffc9fede7f9 crypto/external/bsd/netpgp/bin/pgp2ssh/Makefile
--- a/crypto/external/bsd/netpgp/bin/pgp2ssh/Makefile Sat Oct 20 04:54:40 2012 +0000
+++ b/crypto/external/bsd/netpgp/bin/pgp2ssh/Makefile Sat Oct 20 04:59:52 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.1.2.1 2012/05/06 17:57:11 agc Exp $
+# $NetBSD: Makefile,v 1.1.2.2 2012/10/20 04:59:52 agc Exp $
.include <bsd.own.mk>
@@ -24,6 +24,10 @@
LDADD+= -L${LIBNETRSADIR} -lnetpgprsa
DPADD+= ${LIBNETRSADIR}/libnetpgprsa.a
+LIBNETDIGESTDIR!= cd ${.CURDIR}/../../lib/digest && ${PRINTOBJDIR}
+LDADD+= -L${LIBNETDIGESTDIR} -lnetpgpdigest
+DPADD+= ${LIBNETDIGESTDIR}/libnetpgpdigest.a
+
LIBNETBNDIR!= cd ${.CURDIR}/../../lib/bn && ${PRINTOBJDIR}
LDADD+= -L${LIBNETBNDIR} -lnetpgpbn
DPADD+= ${LIBNETBNDIR}/libnetpgpbn.a
diff -r 7df8e6324efe -r 6ffc9fede7f9 crypto/external/bsd/netpgp/dist/include/netpgp.h
--- a/crypto/external/bsd/netpgp/dist/include/netpgp.h Sat Oct 20 04:54:40 2012 +0000
+++ b/crypto/external/bsd/netpgp/dist/include/netpgp.h Sat Oct 20 04:59:52 2012 +0000
@@ -29,6 +29,8 @@
#ifndef NETPGP_H_
#define NETPGP_H_
+#include <unistd.h>
+
#ifndef __BEGIN_DECLS
# if defined(__cplusplus)
# define __BEGIN_DECLS extern "C" {
diff -r 7df8e6324efe -r 6ffc9fede7f9 crypto/external/bsd/netpgp/dist/src/lib/validate.c
--- a/crypto/external/bsd/netpgp/dist/src/lib/validate.c Sat Oct 20 04:54:40 2012 +0000
+++ b/crypto/external/bsd/netpgp/dist/src/lib/validate.c Sat Oct 20 04:59:52 2012 +0000
@@ -54,7 +54,7 @@
#if defined(__NetBSD__)
__COPYRIGHT("@(#) Copyright (c) 2009 The NetBSD Foundation, Inc. All rights reserved.");
-__RCSID("$NetBSD: validate.c,v 1.44 2012/03/05 02:20:18 christos Exp $");
+__RCSID("$NetBSD: validate.c,v 1.44.2.1 2012/10/20 04:59:52 agc Exp $");
#endif
#include <sys/types.h>
@@ -548,7 +548,7 @@
&data->result->invalid_sigs,
&data->result->invalidc)) {
PGP_ERROR_1(errors, PGP_E_V_BAD_SIGNATURE, "%s",
- "Can't add good sig to list");
+ "Can't add bad sig to list");
}
}
break;
diff -r 7df8e6324efe -r 6ffc9fede7f9 crypto/external/bsd/netpgp/dist/src/librsa/rsa.c
--- a/crypto/external/bsd/netpgp/dist/src/librsa/rsa.c Sat Oct 20 04:54:40 2012 +0000
+++ b/crypto/external/bsd/netpgp/dist/src/librsa/rsa.c Sat Oct 20 04:59:52 2012 +0000
@@ -184,6 +184,70 @@
return r;
}
+static int
+lowlevel_rsa_public_decrypt(const uint8_t *encbuf, int enclen, uint8_t *dec, const rsa_pubkey_t *rsa)
+{
+ uint8_t *decbuf;
+ BIGNUM *decbn;
+ BIGNUM *encbn;
+ int decbytes;
+ int nbytes;
+ int r;
+
+ nbytes = 0;
+ r = -1;
+ decbuf = NULL;
+ decbn = encbn = NULL;
+ if (BN_num_bits(rsa->n) > RSA_MAX_MODULUS_BITS) {
+ printf("rsa r modulus too large\n");
+ goto err;
+ }
+ if (BN_cmp(rsa->n, rsa->e) <= 0) {
+ printf("rsa r bad n value\n");
+ goto err;
+ }
+ if (BN_num_bits(rsa->n) > RSA_SMALL_MODULUS_BITS &&
+ BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) {
+ printf("rsa r bad exponent limit\n");
+ goto err;
+ }
+ if ((encbn = BN_new()) == NULL ||
+ (decbn = BN_new()) == NULL ||
+ (decbuf = netpgp_allocate(1, nbytes = BN_num_bytes(rsa->n))) == NULL) {
+ printf("allocation failure\n");
+ goto err;
+ }
+ if (enclen > nbytes) {
+ printf("rsa r > mod len\n");
+ goto err;
+ }
+ if (BN_bin2bn(encbuf, enclen, encbn) == NULL) {
+ printf("null encrypted BN\n");
+ goto err;
+ }
+ if (BN_cmp(encbn, rsa->n) >= 0) {
+ printf("rsa r data too large for modulus\n");
+ goto err;
+ }
+ if (BN_mod_exp(decbn, encbn, rsa->e, rsa->n, NULL) < 0) {
+ printf("BN_mod_exp < 0\n");
+ goto err;
+ }
+ decbytes = BN_num_bytes(decbn);
+ (void) BN_bn2bin(decbn, decbuf);
+ if ((r = rsa_padding_check_none(dec, nbytes, decbuf, decbytes, 0)) < 0) {
+ printf("rsa r padding check failed\n");
+ }
+err:
+ BN_free(encbn);
+ BN_free(decbn);
+ if (decbuf != NULL) {
+ (void) memset(decbuf, 0x0, nbytes);
+ netpgp_deallocate(decbuf, nbytes);
+ }
+ return r;
+}
+
#if 0
/**
@file rsa_make_key.c
@@ -549,6 +613,26 @@
return lowlevel_rsa_private_encrypt(plainc, plain, encbuf, rsa);
}
+/* verify */
+int
+RSA_public_decrypt(int enclen, const unsigned char *enc, unsigned char *dec, RSA *rsa, int padding)
+{
+ rsa_pubkey_t pub;
+ int ret;
+
+ if (enc == NULL || dec == NULL || rsa == NULL) {
+ return 0;
+ }
+ USE_ARG(padding);
+ (void) memset(&pub, 0x0, sizeof(pub));
+ pub.n = BN_dup(rsa->n);
+ pub.e = BN_dup(rsa->e);
+ ret = lowlevel_rsa_public_decrypt(enc, enclen, dec, &pub);
+ BN_free(pub.n);
+ BN_free(pub.e);
Home |
Main Index |
Thread Index |
Old Index