+ recognise ascii-armoured encrypted messages properly, in memory and
in files
+ print error message and exit for now when trying to encrypt with a DSA key
+ fix bug reported by dyoung when trying to print out the encryption key
fingerprint
we're ELF now, and there are many missing checks against OBJECT_FMT.
if we ever consider switching, the we can figure out what new ones
we need but for now it's just clutter.
this doesn't remove any of the support for exec_aout or any actually
required-for-boot a.out support, only the ability to build a netbsd
release in a.out format. ie, most of this code has been dead for
over a decade.
i've tested builds on vax, amd64, i386, mac68k, macppc, sparc, atari,
amiga, shark, cats, dreamcast, landisk, mmeye and x68k. this covers
the 5 MACHINE_ARCH's affected, and all the other arch code touched.
it also includes some actual run-time testing of sparc, i386 and
shark, and i performed binary comparison upon amiga and x68k as well.
some minor details relevant:
- move shlib.[ch] from ld.aout_so into ldconfig proper, and cut them
down to only the parts ldconfig needs
- remove various unused source files
- switch amiga bootblocks to using elf2bb.h instead of aout2bb.h
+ make ssh fingerprints (md5) match netpgp listing
+ use the more functional hexdump function from ssh2pgp in place of the
older hexdump function from openpgpsdk
+ pass hash type down from command line where needed
+ add test for netpgp/ssh key fingerprint matching
+ make netpgpkeys(1) take a --hash= option
With these changes, netpgp can be made to generate the same fingerprint as
openssh (by default, ssh-keygen(1) uses an md5 digest)
% /usr/bin/netpgpkeys --ssh-keys --sshkeyfile=/etc/ssh/ssh_host_rsa_key.pub --list-keys --hash=md5
1 key
pub 1024/RSA (Encrypt or Sign) fcdd1c608bef4c4b 2008-08-11
Key fingerprint: e935 902d ebf1 76ba fcdd 1c60 8bef 4c4b
uid osx-vm1.crowthorne.alistaircrooks.co.uk (/etc/ssh/ssh_host_rsa_key.pub) <root@osx-vm1.crowthorne.alistaircrooks.co.uk>
% ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
1024 e9:35:90:2d:eb:f1:76:ba:fc:dd:1c:60:8b:ef:4c:4b /etc/ssh/ssh_host_rsa_key.pub (RSA)
%
Changes since 3.99.2:
+ avoid possible free() of new value passed to netpgp_setvar(),
with thanks to Anon Ymous.
+ netpgpkeys(1): print keys to stdout, not stderr - reported by Anon
Ymous.
+ fix DSA signatures and verification
+ simplify and shorten the internals of packet processing by getting rid of
the intermediate pseudo-abstraction layer, which detracted from understanding
and had no benefit whatsoever. Rename some enums and some definitions.
+ add some checking to new key generation, and don't try to read in
the keys after writing them - reported by Tyler Retzlaff
don't try to re-read the key after writing it - that's done by a separate
function. Problem found by Tyler Retzlaff, fixed in a different way.
check that keyrings are non-NULL before attempting to free them - from a
nudge by Tyler Retzlaff.
advance its counter if it's non-NULL.
Regression test for this is:
netpgpkeys --list-key '\.de\>'
with my standard keyring (to list all keys which have at least one subuid
with a German email address).
verify functionality was useful, but the time has come to learn lessons
and move on.
Replace the trimmed down code with a call to the verification code from
libnetpgp(3).
The DSA algorithm seems to require a digest value which is 20 bytes
long, which kind of implies SHA-1.
If we have a DSA signature, use SHA-1 as a hash algorithm, for backwards
compatibility. RSA signatures continue to use SHA256 by default, although
this can be given as an argument, if desired.
This fixes DSA signatures with netpgp:
% netpgp --sign --userid d4a643c5 a
pub 1024/DSA 8222c3ecd4a643c5 2010-05-19 [EXPIRES 2013-05-18]
Key fingerprint: 3e4a 5df4 033b 2333 219b 1afd 8222 c3ec d4a6 43c5
uid Alistair Crooks (DSA TEST KEY - DO NOT USE) <agc@netbsd.org>
sub 1024/DSA 8222c3ecd4a643c5 2010-05-19 [EXPIRES 2013-05-18]
netpgp passphrase:
% netpgp --verify a.gpg
Good signature for a.gpg made Tue May 18 05:41:25 2010
using DSA key 8222c3ecd4a643c5
pub 1024/DSA 8222c3ecd4a643c5 2010-05-19 [EXPIRES 2013-05-18]
Key fingerprint: 3e4a 5df4 033b 2333 219b 1afd 8222 c3ec d4a6 43c5
uid Alistair Crooks (DSA TEST KEY - DO NOT USE) <agc@netbsd.org>
sub 1024/DSA 8222c3ecd4a643c5 2010-05-19 [EXPIRES 2013-05-18]
%
change the pre-defined stdio streams to be denoted by "<stdout>" and
"<stderr>", to distinguish them from file names.
In netpgpkeys(1), send the default "res" (results) stream to stdout,
rather than stderr. Requested by Anon Ymous (and makes perfect sense).
the event that a reference to the value is passed to the
netpgp_setvar() function as the new value. Problem noted, cause
detected, and most of the fix contributed by, Anon Ymous. Thanks!
agc