Start pulling non-library material out of core source files
As part of moving towards a libonak start pulling things that are related
to the onak keyserver out of the core PGP related source files. Start
with logthing, our logging framework, instead moving towards an onak_status_t
enum to allow up to bubble up errors to the caller.
Massage the existing function/structure comments into something that
Doxygen likes, and document a few additional bits and pieces that
Doxygen was complaining about.
Signatures include the first 2 octets of the hash the signature is
over. Checking this matches what we expect is an easy way to drop
corrupt or incorrect signatures. It doesn't provide any cryptographic
verification but is a useful sanity check when accepting keys.
Avoid race condition when receiving incoming mails
There's a race condition between us starting to accept a new incoming
mail and taking the lock to start processing it; a second copy of
onak-mail may come in and start to process the incomplete mail we're
in the process of receiving. Receive to a tmp file and rename to .onak
after we've received everything.
Fixes Debian bug #650557. Thanks to Helmut Grohne <helmut@subdivi.de>
GPG 1.4.12 switches to using the full fingerprint of a key when requesting
a refresh (commit 6fe25e5602fabe92c68e5ba30e4777221e8612df). We were only
supporting retrieval by 32 or 64 bit key ID. Detect when we're passed a
fingerprint and truncate it to the last 64 bits so we can look it up.
In the future we probably want to extend to being able to do lookups by
full fingerprint.
Use nettle for hashing when available rather than internal MD5/SHA1 routines
Change the internal MD5/SHA1 routines to match nettle's name and
calling convention and add suitable autoconf bits to auto-select
nettle if it's available, otherwise fall back to the internal
routines as usual.
Not so much of an issue for MD5/SHA1 (though we might end up with
more optimised routines in some instances), but allows easier use
of other hashing/crypto functions in the future.
Add some more subpacket types to the list to ignore
There are various signature subpacket types we know about, but have
no need to decode (or it doesn't make sense to decode if we're not
checking that the signature is valid). Add some more to prevent
warnings when adding keys that have these subpackets present.
Project Purple isn't a legal entity; credit primary author of files
and include a minimal GPL 2 header in each file rather than relying
on the copy of LICENCE shipped with everything else.
Add /pks/hashquery - an implementation of the SKS hash retrieval
portion of the gossip protocol.
hashquery takes a marshalled array of SKS hashes to retrieve and
returns a marshalled array of the keys requested.
(The marshalling functions essentially take the hash/key structures
and flatten them to a byte stream with a preceding network order
32 bit size value.)
Add support for displaying/retrieving by SKS hash to lookup and onak CLI
Now we are storing the SKS hash details of a key add the ability to
display the hash in /pks/lookup and retrieve it via the new hget
function. This should be compatible with the way in which SKS extends
lookup to support its hashes.
Also add hget to the onak CLI tool and the -s option for showing the
SKS hash of keys.
Add a new backend DB function fetch_key_skshash and implement it
for the fs/db4/keyd & dynamic backends. This allows us to retrieve
a key using the SKS hash, which will be necessary to implement the
gossip protocol.
SKS uses an MD5 hash over the sorted packets from a key as a token
for its gossip protocol. Add support for calculating this hash and a
structure for passing it around within onak.
Make compare_packet follow memcmp semantics and export to other modules
compare_packet is potentially useful elsewhere, but rather than a
true/false comparison provide -1/0/1 for less than/equal/greater
than, as memcmp does.
Fix buffer_getchar to only error if we'd exceed the buffer size
We were erroring when we retrieved the end of the buffer, and not
if we overflowed past the end. Check if we'd overflow and return
an error only in that case.
Change to using void * for character function content parameter
We were passing unsigned char * as the parameter to all of the
character fetching/putting functions. Use void * instead so that
we can pass other types of data without needlessly having to cast.
Output details of key search after retrieval for pks/lookup
Rather than logging what we're searching for beforehand, and then
indicating failure after (but not success), just output the results
and search details after retrieval.
Hopefully this will enabled compilation on GNU/Hurd. PATH_MAX is not
entirely removed, but now only used for array definitions and
conditionally defined if not already defined. Moving the static defs
to dynamic allocations is future work, but this provides a start.
Use generic db dependencies rather than 4.8 versioned ones
Rather than depending on libdb4.8-dev and db4.8-util depend on
libdb-dev and db-util, allowing easy binary only rebuilds in the
event of new db4 releases.
The regular keydb functions for talking to keyd work fine for key
related operations, but there are extra things we want to do with
keyd (such as checking its status or asking it to cleanly exit) that
there's no way to do at present. Add keydctl to provide a way to
access these additional features.
catchsignals() normally catches SIGPIPE and sets the cleanup flag,
as per the other signals it catches. This is fine for the HKP CGI,
but not appropriate for keyd (as it's probably because the client
has exited without doing appropriate cleanup). Ignore it; we'll
deal with the error when we try to read/write to the socket.
Output KEYD_REPLY_OK response for close/quite commands as well
as data size for version/longkeyid commands. Means that commands
can always expect to get an OK response if they've been understood
and a size if they're going to result in some more data.
While cross machine compatibility is not currently an aim for keyd
we should specify the word size for commands to help down the line
if we decide to do this.
Configure db4 locks according to maxkeys and actually check maxkeys
The number of db4 objects iin use is related to the maximum number of
keys we return at once. Configure the locking subsystem accordingly
and limit the number of returned keys to maxkeys.
Significantly improves the reliability of the db4 backend on a large
busy server.
Add use_keyd config file option to select keyd as the backend
We want to be able to use a common config file across the various
tools, so add a config variable to indicate that we're using keyd.
This allows keyd to override the option and then get the configured
backend, while everything else knows to use keyd.
Only seed database for Debian install if we're using default config
If the user changes the config away from DB4 or the default DB
directory and deletes the old directory we'll think they don't
have an initialised key database and try to seed it with my key.
Check the config file and if it doesn't match what we expect
assume the user has configured appropriately and don't seed the DB.
Actually close the socket in keyd/the keyd backend
We were calling shutdown() on the socket, but this isn't sufficient -
we need to call close() as well. Otherwise we end up leaking sockets
and eventually keyd can no longer service requests.
We were defining a custom compile rule for the keydb .c -> .o stage,
which left out the CFLAGS. We don't need this; the custom bit is at
link time so we pick up the right libs.
libdb4.7 isn't in stable (lenny) and libdb4.8 is in testing (squeeze)
and sid, so given that we can do the auto upgrade no reason not to
bump to use the latest. Tested with 20000+ invocations of "onak index"
to try to confirm no repeat of the read-only-open problem hit with 4.6.
We didn't specify the version in the README, though it was correct in
debian/copyright. Add the version to the README and point to the
versioned file in debian/copyright rather than the symlink to the
current version.
Change PostgreSQL backend to use PQescapeStringConn
While the PostgreSQL backend is not known to be in use anywhere we were
using an older escaping function (PQescapeString) which does not have
knowledge of the connection character encoding and so has potential
problems. Switch to using PQescapeStringConn, which does have this
knowledge.
Don't add a key to the stats hash if it doesn't have any sigs
We always added a key to the stats hash if we tried to find its sigs,
even if it didn't exist. So if it doesn't have any sigs (either because
it doesn't exist or it's just a non linked in key), don't add it.
Closes Debian bug #542187.
Correct formatting of some places we output a keyid
Format keyids in various places to be 16 digits long, zero padded
if necessary. Closes Debian bug #540196 (which has a patch from
Philippe Teuwen, but that uses 8 digits instead of 16).