1 //! OpenPGP data types and associated machinery for C. 2 //! 3 //! This crate aims to provide a complete implementation of OpenPGP as 4 //! defined by [RFC 4880] as well as several extensions (e.g., [RFC 5 //! 6637], which describes ECC cryptography for OpenPGP, and [RFC 6 //! 4880bis], the draft of the next OpenPGP standard). This includes 7 //! support for unbuffered message processing. 8 //! 9 //! A few features that the OpenPGP community considers to be 10 //! deprecated (e.g., version 3 compatibility) have been left out as 11 //! well as support for functionality that we consider to be not only 12 //! completely useless, but also dangerous (e.g., support for 13 //! [unhashed signature subpackets]). We have also updated some 14 //! OpenPGP defaults to avoid foot guns (e.g., this crate does not 15 //! fallback to IDEA, but instead assumes all OpenPGP implementations 16 //! understand AES). If some functionality is missing, please file a 17 //! bug report. 18 //! 19 //! A non-goal of this crate is support for any sort of high-level, 20 //! bolted-on functionality. For instance, [RFC 4880] does not define 21 //! trust models, such as the web of trust, direct trust, or TOFU. 22 //! Neither does this crate. [RFC 4880] does provide some mechanisms 23 //! for creating trust models (specifically, UserID certifications), 24 //! and this crate does expose those mechanisms. 25 //! 26 //! We also try hard to avoid dictating how OpenPGP should be used. 27 //! This doesn't mean that we don't have opinions about how OpenPGP 28 //! should be used in a number of common scenarios (for instance, 29 //! message validation). But, in this crate, we refrain from 30 //! expressing those opinions; we expose an opinionated, high-level 31 //! interface in the [sequoia-core] and related crates. In our 32 //! opinion, you should generally use those crates instead of this 33 //! one. 34 //! 35 //! [RFC 4880]: https://tools.ietf.org/html/rfc4880 36 //! [RFC 6637]: https://tools.ietf.org/html/rfc6637 37 //! [RFC 4880bis]: https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05 38 //! [unhashed signature subpackets]: https://tools.ietf.org/html/rfc4880#section-5.2.3.2 39 //! [sequoia-core]: ../sequoia_core 40 //! 41 //! 42 //! # Dear User, 43 //! 44 //! This library is written in Rust. Its expressive type system helps 45 //! prevent many classes of bugs, but it is also very demanding. 46 //! For example, the infamous borrow checker, feared by those who dare 47 //! to approach Rust, allows us to safely use shared resources. If 48 //! you want to use this library, we need you to follow a set of 49 //! rules, and you don't have the borrow checker to double check. 50 //! 51 //! We provide a set of functions that use C types and the C calling 52 //! convention. These interfaces allow you to use Sequoia safely from 53 //! any other language provided that you follow [The Rules]. 54 //! 55 //! If you don't follow [The Rules], we will terminate the process. 56 //! That is not meant as a threat, of course. But, as in C, passing a 57 //! bad pointer to a function is undefined behavior in Rust. 58 //! Therefore, passing a bad pointer to a function in this crate is 59 //! undefined behavior as well. We try to mitigate this problem by 60 //! trying to detect undefined behavior resulting from not following 61 //! [The Rules] by printing assertion failures on stderr, and 62 //! terminating the process. 63 //! 64 //! In return for following [The Rules], you can enjoy the reliability 65 //! that Rust's type system brings this library. For example, the 66 //! robust tracking of ownership ensures that we will not leak memory. 67 //! 68 //! The C API is documented here. We invite you to visit the 69 //! documentation for the [corresponding Rust crate], the structure 70 //! closely resembles this crate. 71 //! 72 //! [The Rules]: #the-rules 73 //! [corresponding Rust crate]: ../sequoia_openpgp/index.html 74 //! 75 //! 76 //! # Examples 77 //! 78 //! This documentation contains examples in the style of Rust 79 //! examples. For short examples, we will omit the main function. 80 //! For example: 81 //! 82 //! ```c 83 //! #include <sequoia/openpgp.h> 84 //! #include <error.h> 85 //! 86 //! pgp_error_t err; 87 //! pgp_cert_t cert = pgp_cert_from_file (&err, "../openpgp/tests/data/keys/testy.pgp"); 88 //! if (cert == NULL) 89 //! error (1, 0, "pgp_cert_from_file: %s", pgp_error_to_string (err)); 90 //! 91 //! /* XXX: Do something interesting. */ 92 //! 93 //! pgp_cert_free (cert); 94 //! ``` 95 //! 96 //! The examples are compiled and executed as part of the test suite, 97 //! and they will free all objects that are created. 98 //! 99 //! 100 //! # The Rules 101 //! 102 //! These rules must be followed. Failure to follow these rules 103 //! results in problems like memory leaks, undefined behavior, or 104 //! process termination. This is also a guide on how to read the 105 //! documentation for this library. 106 //! 107 //! ## Undefined Behavior 108 //! 109 //! Undefined behavior means that the state of the library is 110 //! inconsistent, and the resulting behavior is unpredictable. It 111 //! often leads to security problems, like information exfiltration, 112 //! or code execution. 113 //! 114 //! Undefined behavior may be the result of a bug in this library, or 115 //! due to failure to comply to [The Rules]. Furthermore, memory 116 //! exhaustion may lead to undefined behavior. 117 //! 118 //! This library tries to detect cases of undefined behavior, and 119 //! *abort(3)* the process. This fail-fast policy helps to protect 120 //! against exfiltration and code execution attacks, and should 121 //! clearly highlight either a bug in this library (please get in 122 //! contact!), or a bug in your code. 123 //! 124 //! ## Error Handling 125 //! 126 //! Errors happen and must be handled by the caller. There are 127 //! functions that cannot fail, functions that may fail, and functions 128 //! that may fail and communicate a complex error value to the caller. 129 //! 130 //! Functions that cannot fail are a nice consequence of the 131 //! 'fail-fast on undefined behavior'-rule. An example of such 132 //! function is [`pgp_fingerprint_to_string`]. This function cannot 133 //! fail, unless either the given fingerprint reference is invalid, 134 //! or the allocation for the string failed, which is considered 135 //! undefined behavior. 136 //! 137 //! [`pgp_fingerprint_to_string`]: fingerprint/struct.Fingerprint.html#method.pgp_fingerprint_to_string 138 //! 139 //! Failing functions signal failure either in-band (e.g. `NULL`, or 140 //! -1), using `pgp_status_t`, and may store complex error information 141 //! in a caller-provided location. For example, constructors often 142 //! return `NULL` to signal errors. An example of a constructor that 143 //! may fail and return `NULL`, but does not communicate complex error 144 //! is [`pgp_fingerprint_from_hex`]. [`pgp_packet_parser_from_bytes`], 145 //! on the other hand, will return `NULL` and store a complex error at 146 //! the location given using the `errp` parameter. 147 //! 148 //! [`pgp_fingerprint_from_hex`]: fingerprint/struct.Fingerprint.html#method.pgp_fingerprint_from_hex 149 //! [`pgp_packet_parser_from_bytes`]: parse/fn.pgp_packet_parser_from_bytes.html 150 //! 151 //! Errors may be inspected using [`pgp_error_status`], and formatted 152 //! as an error message using [`pgp_error_to_string`]. Errors must be freed 153 //! using [`pgp_error_free`]. 154 //! 155 //! [`pgp_error_status`]: error/fn.pgp_error_status.html 156 //! [`pgp_error_to_string`]: error/fn.pgp_error_to_string.html 157 //! [`pgp_error_free`]: error/fn.pgp_error_free.html 158 //! 159 //! ## Types 160 //! 161 //! When we interact across the FFI boundary between C and Rust, we 162 //! need to talk about the types used to interchange data. The types 163 //! follow different rules. 164 //! 165 //! ### Objects 166 //! 167 //! Sequoia objects are opaque objects. They are created in 168 //! constructors, and must be freed when no longer needed. Failure to 169 //! free an object results in a memory leak. 170 //! 171 //! A typical example of creating an object, using it, and 172 //! deallocating it is the following in which we [parse a fingerprint] 173 //! from a hexadecimal number, and then [pretty-print] it for user 174 //! consumption: 175 //! 176 //! [parse a fingerprint]: fingerprint/fn.pgp_fingerprint_from_hex.html 177 //! [pretty-print]: fingerprint/fn.pgp_fingerprint_to_string.html 178 //! 179 //! ```c 180 //! #include <assert.h> 181 //! #include <stdlib.h> 182 //! #include <string.h> 183 //! #include <sequoia/openpgp.h> 184 //! 185 //! pgp_fingerprint_t fp = 186 //! pgp_fingerprint_from_hex ("D2F2C5D45BE9FDE6A4EE0AAF31855247603831FD"); 187 //! 188 //! char *pretty = pgp_fingerprint_to_string (fp); 189 //! assert (strcmp (pretty, 190 //! "D2F2 C5D4 5BE9 FDE6 A4EE 0AAF 3185 5247 6038 31FD") == 0); 191 //! 192 //! free (pretty); 193 //! pgp_fingerprint_free (fp); 194 //! ``` 195 //! 196 //! After use, the fingerprint object must be deallocated. Although 197 //! not the case here, an object may reference an existing objects. 198 //! As such, it is good practice to deallocate the objects in the 199 //! reverse order to which they were created to avoid having the 200 //! destructor trigger a use-after-free bug. 201 //! 202 //! #### Ownership 203 //! 204 //! In Rust, every value has an owner. A value may reside on the 205 //! stack, on the heap, or be embedded in a struct or enum. If you 206 //! take ownership of an object, e.g., by using some constructor, it 207 //! is your responsibility to manage its lifetime. The most common 208 //! way to transfer ownership back to Rust is to deallocate the 209 //! object. Failure to deallocate an object leads to a memory leak. 210 //! 211 //! Looking at the Rust functions in this library, when ownership of 212 //! an object of type `T` is transferred across the FFI boundary, the 213 //! function signature uses the type `*mut T`. 214 //! 215 //! In this crate, we use a series of macros to transfer ownership from 216 //! Rust to C. `ffi_try_box` matches on `Result<T>`, handling errors 217 //! by terminating the current function and returning the error. 218 //! `maybe_box_raw` matches on `Option<T>`, turning `None` into 219 //! `NULL`. Finally, `box_raw` is merely a shortcut for 220 //! `Box::into_raw(Box::new(..))`. 221 //! 222 //! ### References 223 //! 224 //! All references transferred across the FFI boundary must be valid, 225 //! and point to live objects constructed using constructors of this 226 //! library. Using references constructed in any other way results in 227 //! undefined behavior. 228 //! 229 //! In some places, references handed to, or returned from this 230 //! library may be `NULL`. This is the exception rather than the 231 //! rule. If you look at a function's Rust signature, an `Option<&T>` 232 //! or `Option<&mut T>` is used for arguments or results that may be 233 //! NULL. On the other hand, function arguments that are not optional 234 //! use `*const T`, or `*mut T`. 235 //! 236 //! Application code must adhere to Rust's reference rules: 237 //! 238 //! - Either one mutable reference or any number of immutable ones. 239 //! - All references are non-`NULL`. 240 //! - All references are valid. 241 //! 242 //! In this crate we enforce the second rule by asserting that all 243 //! pointers handed in are non-`NULL`. An exception is if a parameter 244 //! of an FFI function uses `Option<&T>` or `Option<&mut T>`. In that 245 //! case it may be called with `NULL`. Notable exceptions are the 246 //! destructors (`pgp_*_free`). 247 //! 248 //! ### Lifetimes 249 //! 250 //! If you derive a complex object from another complex object, you 251 //! must assume that the original object is borrowed (i.e., 252 //! referenced) by the resulting object unless explicitly stated 253 //! otherwise. For example, objects created using a context must not 254 //! outlive that context. Similarly, iterators must not outlive the 255 //! object they are created from. It is a good practice to 256 //! deallocate the objects in the reverse order they were created in. 257 //! 258 //! Failing to adhere to lifetime restrictions results in undefined 259 //! behavior. 260 //! 261 //! ### Strings 262 //! 263 //! Strings given to this library must be UTF-8 encoded and 264 //! zero-terminated. Malformed characters will be substituted. 265 //! 266 //! Strings produced by this library will be UTF-8 encoded and 267 //! zero-terminated. Malformed characters will be substituted. They 268 //! will be allocated using *malloc(3)* und must be *free(3)* d. A 269 //! few functions in this library may return a `const char *`, which 270 //! must not be freed. 271 //! 272 //! ### Enumerations 273 //! 274 //! Values must be constructed using functionality provided by 275 //! this library. Using values constructed in any other way is 276 //! undefined behavior. 277 //! 278 //! In the following example, we will decode an armored blob in 279 //! memory. Note how we use `PGP_ARMOR_KIND_ANY` in the [constructor] 280 //! of the armor reader to indicate that we will consume any kind of 281 //! data, and later use `PGP_ARMOR_KIND_FILE` to check what we got in 282 //! the end. 283 //! 284 //! [constructor]: armor/fn.pgp_armor_reader_from_bytes.html 285 //! 286 //! ```c 287 //! #include <assert.h> 288 //! #include <error.h> 289 //! #include <stdlib.h> 290 //! #include <stdio.h> 291 //! #include <string.h> 292 //! #include <sequoia/openpgp.h> 293 //! 294 //! const char *armored = 295 //! "-----BEGIN PGP ARMORED FILE-----\n" 296 //! "\n" 297 //! "SGVsbG8gd29ybGQh\n" 298 //! "=s4Gu\n" 299 //! "-----END PGP ARMORED FILE-----\n"; 300 //! 301 //! pgp_reader_t armor = 302 //! pgp_armor_reader_from_bytes ((uint8_t *) armored, strlen (armored), 303 //! PGP_ARMOR_KIND_ANY); 304 //! 305 //! pgp_error_t err; 306 //! char message[12]; 307 //! if (pgp_reader_read (&err, armor, (uint8_t *) message, 12) != 12) 308 //! error (1, 0, "Reading failed: %s", pgp_error_to_string (err)); 309 //! 310 //! assert (pgp_armor_reader_kind (armor) == PGP_ARMOR_KIND_FILE); 311 //! assert (memcmp (message, "Hello world!", 12) == 0); 312 //! 313 //! pgp_reader_free (armor); 314 //! ``` 315 316 #![warn(missing_docs)] 317 318 #[macro_use] 319 extern crate lazy_static; 320 extern crate libc; 321 extern crate memsec; 322 323 extern crate sequoia_ffi_macros; 324 use sequoia_ffi_macros::{ 325 ffi_wrapper_type, 326 }; 327 328 extern crate sequoia_openpgp; 329 330 include!("common.rs"); 331