gnupg/g10/tofu.h

/* tofu.h - TOFU trust model.
 * Copyright (C) 2015 g10 Code GmbH
 *
 * This file is part of GnuPG.
 *
 * GnuPG is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * GnuPG is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see <http://www.gnu.org/licenses/>.
 */

#ifndef G10_TOFU_H
#define G10_TOFU_H

#include <config.h>

/* For each binding, we have a trust policy.  */
enum tofu_policy
  {
    /* This value can be returned by tofu_get_policy to indicate that
       there is no policy set for the specified binding.  */
    TOFU_POLICY_NONE = 0,

    /* We made a default policy decision.  This is only done if there
       is no conflict with another binding (that is, the email address
       is not part of another known key).  The default policy is
       configurable (and specified using: --tofu-default-policy).

       Note: when using the default policy, we save TOFU_POLICY_AUTO
       with the binding, not the policy that was in effect.  This way,
       if the user invokes gpg again, but with a different value for
       --tofu-default-policy, a different decision is made.  */
    TOFU_POLICY_AUTO = 1,

    /* The user explicitly marked the binding as good.  In this case,
       we return TRUST_FULLY.  */
    TOFU_POLICY_GOOD = 2,

    /* The user explicitly marked the binding as unknown.  In this
       case, we return TRUST_UNKNOWN.  */
    TOFU_POLICY_UNKNOWN = 3,

    /* The user explicitly marked the binding as bad.  In this case,
       we always return TRUST_NEVER.  */
    TOFU_POLICY_BAD = 4,

    /* The user deferred a definitive policy decision about the
       binding (by selecting accept once or reject once).  The next
       time we see this binding, we should ask the user what to
       do.  */
    TOFU_POLICY_ASK = 5
  };

/* Return a string representation of a trust policy.  Returns "???" if
   POLICY is not valid.  */
const char *tofu_policy_str (enum tofu_policy policy);

/* Convert a binding policy (e.g., TOFU_POLICY_BAD) to a trust level
   (e.g., TRUST_BAD) in light of the current configuration.  */
int tofu_policy_to_trust_level (enum tofu_policy policy);

/* Register the binding <FINGERPRINT, USER_ID> and the signature
   described by SIGS_DIGEST and SIG_TIME, which it generated.  Origin
   describes where the signed data came from, e.g., "email:claws"
   (default: "unknown").  If MAY_ASK is 1, then this function may
   interact with the user in the case of a conflict or if the
   binding's policy is ask.  This function returns the binding's trust
   level.  If an error occurs, it returns TRUST_UNKNOWN.  */
int tofu_register (const byte *fingerprint, const char *user_id,
		   const byte *sigs_digest, int sigs_digest_len,
		   time_t sig_time, const char *origin, int may_ask);

/* Combine a trust level returned from the TOFU trust model with a
   trust level returned by the PGP trust model.  This is primarily of
   interest when the trust model is tofu+pgp (TM_TOFU_PGP).  */
int tofu_wot_trust_combine (int tofu, int wot);

/* Determine the validity (TRUST_NEVER, etc.) of the binding
   <FINGERPRINT, USER_ID>.  If MAY_ASK is 1, then this function may
   interact with the user.  If not, TRUST_UNKNOWN is returned.  If an
   error occurs, TRUST_UNDEFINED is returned.  */
int tofu_get_validity (const byte *fingerprint, const char *user_id,
		       int may_ask);

/* Set the policy for all non-revoked user ids in the keyblock KB to
   POLICY.  */
gpg_error_t tofu_set_policy (kbnode_t kb, enum tofu_policy policy);

/* Set the TOFU policy for all non-revoked users in the key with the
   key id KEYID to POLICY.  */
gpg_error_t tofu_set_policy_by_keyid (u32 *keyid, enum tofu_policy policy);

/* Return the TOFU policy for the specified binding in *POLICY.  */
gpg_error_t tofu_get_policy (PKT_public_key *pk, PKT_user_id *user_id,
			     enum tofu_policy *policy);

#endif
g10: Add TOFU support. * configure.ac: Check for sqlite3. (SQLITE3_CFLAGS): AC_SUBST it. (SQLITE3_LIBS): Likewise. * g10/Makefile.am (AM_CFLAGS): Add $(SQLITE3_CFLAGS). (gpg2_SOURCES): Add tofu.h and tofu.c. (gpg2_LDADD): Add $(SQLITE3_LIBS). * g10/tofu.c: New file. * g10/tofu.h: New file. * g10/options.h (trust_model): Define TM_TOFU and TM_TOFU_PGP. (tofu_db_format): Define. * g10/packet.h (PKT_signature): Add fields digest and digest_len. * g10/gpg.c: Include "tofu.h". (cmd_and_opt_values): Declare aTOFUPolicy, oTOFUDefaultPolicy, oTOFUDBFormat. (opts): Add them. (parse_trust_model): Recognize the tofu and tofu+pgp trust models. (parse_tofu_policy): New function. (parse_tofu_db_format): New function. (main): Initialize opt.tofu_default_policy and opt.tofu_db_format. Handle aTOFUPolicy, oTOFUDefaultPolicy and oTOFUDBFormat. * g10/mainproc.c (do_check_sig): If the signature is good, copy the hash to SIG->DIGEST and set SIG->DIGEST_LEN appropriately. * g10/trustdb.h (get_validity): Add arguments sig and may_ask. Update callers. (tdb_get_validity_core): Add arguments sig and may_ask. Update callers. * g10/trust.c (get_validity) Add arguments sig and may_ask. Pass them to tdb_get_validity_core. * g10/trustdb.c: Include "tofu.h". (trust_model_string): Handle TM_TOFU and TM_TOFU_PGP. (tdb_get_validity_core): Add arguments sig and may_ask. If OPT.TRUST_MODEL is TM_TOFU or TM_TOFU_PGP, compute the TOFU trust level. Combine it with the computed PGP trust level, if appropriate. * g10/keyedit.c: Include "tofu.h". (show_key_with_all_names_colon): If the trust mode is tofu or tofu+pgp, then show the trust policy. * g10/keylist.c: Include "tofu.h". (public_key_list): Also show the PGP stats if the trust model is TM_TOFU_PGP. (list_keyblock_colon): If the trust mode is tofu or tofu+pgp, then show the trust policy. * g10/pkclist.c: Include "tofu.h". * g10/gpgv.c (get_validity): Add arguments sig and may_ask. (enum tofu_policy): Define. (tofu_get_policy): New stub. (tofu_policy_str): Likewise. * g10/test-stubs.c (get_validity): Add arguments sig and may_ask. (enum tofu_policy): Define. (tofu_get_policy): New stub. (tofu_policy_str): Likewise. * doc/DETAILS: Describe the TOFU Policy field. * doc/gpg.texi: Document --tofu-set-policy, --trust-model=tofu, --trust-model=tofu+pgp, --tofu-default-policy and --tofu-db-format. * tests/openpgp/Makefile.am (TESTS): Add tofu.test. (TEST_FILES): Add tofu-keys.asc, tofu-keys-secret.asc, tofu-2183839A-1.txt, tofu-BC15C85A-1.txt and tofu-EE37CF96-1.txt. (CLEANFILES): Add tofu.db. (clean-local): Add tofu.d. * tests/openpgp/tofu.test: New file. * tests/openpgp/tofu-2183839A-1.txt: New file. * tests/openpgp/tofu-BC15C85A-1.txt: New file. * tests/openpgp/tofu-EE37CF96-1.txt: New file. * tests/openpgp/tofu-keys.asc: New file. * tests/openpgp/tofu-keys-secret.asc: New file. -- Signed-off-by: Neal H. Walfield <neal@g10code.com>. 2015-10-18 18:44:05 +02:00			`/* tofu.h - TOFU trust model.`
			`* Copyright (C) 2015 g10 Code GmbH`
			`*`
			`* This file is part of GnuPG.`
			`*`
			`* GnuPG is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* GnuPG is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program; if not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`#ifndef G10_TOFU_H`
			`#define G10_TOFU_H`

			`#include <config.h>`

			`/* For each binding, we have a trust policy. */`
			`enum tofu_policy`
			`{`
			`/* This value can be returned by tofu_get_policy to indicate that`
			`there is no policy set for the specified binding. */`
			`TOFU_POLICY_NONE = 0,`

			`/* We made a default policy decision. This is only done if there`
			`is no conflict with another binding (that is, the email address`
			`is not part of another known key). The default policy is`
			`configurable (and specified using: --tofu-default-policy).`

			`Note: when using the default policy, we save TOFU_POLICY_AUTO`
			`with the binding, not the policy that was in effect. This way,`
			`if the user invokes gpg again, but with a different value for`
			`--tofu-default-policy, a different decision is made. */`
			`TOFU_POLICY_AUTO = 1,`

			`/* The user explicitly marked the binding as good. In this case,`
			`we return TRUST_FULLY. */`
			`TOFU_POLICY_GOOD = 2,`

			`/* The user explicitly marked the binding as unknown. In this`
			`case, we return TRUST_UNKNOWN. */`
			`TOFU_POLICY_UNKNOWN = 3,`

			`/* The user explicitly marked the binding as bad. In this case,`
			`we always return TRUST_NEVER. */`
			`TOFU_POLICY_BAD = 4,`

			`/* The user deferred a definitive policy decision about the`
			`binding (by selecting accept once or reject once). The next`
			`time we see this binding, we should ask the user what to`
			`do. */`
			`TOFU_POLICY_ASK = 5`
			`};`

			`/* Return a string representation of a trust policy. Returns "???" if`
			`POLICY is not valid. */`
			`const char *tofu_policy_str (enum tofu_policy policy);`

			`/* Convert a binding policy (e.g., TOFU_POLICY_BAD) to a trust level`
			`(e.g., TRUST_BAD) in light of the current configuration. */`
			`int tofu_policy_to_trust_level (enum tofu_policy policy);`

			`/* Register the binding <FINGERPRINT, USER_ID> and the signature`
			`described by SIGS_DIGEST and SIG_TIME, which it generated. Origin`
			`describes where the signed data came from, e.g., "email:claws"`
			`(default: "unknown"). If MAY_ASK is 1, then this function may`
			`interact with the user in the case of a conflict or if the`
			`binding's policy is ask. This function returns the binding's trust`
			`level. If an error occurs, it returns TRUST_UNKNOWN. */`
			`int tofu_register (const byte fingerprint, const char user_id,`
			`const byte *sigs_digest, int sigs_digest_len,`
			`time_t sig_time, const char *origin, int may_ask);`

			`/* Combine a trust level returned from the TOFU trust model with a`
			`trust level returned by the PGP trust model. This is primarily of`
			`interest when the trust model is tofu+pgp (TM_TOFU_PGP). */`
			`int tofu_wot_trust_combine (int tofu, int wot);`

			`/* Determine the validity (TRUST_NEVER, etc.) of the binding`
			`<FINGERPRINT, USER_ID>. If MAY_ASK is 1, then this function may`
			`interact with the user. If not, TRUST_UNKNOWN is returned. If an`
			`error occurs, TRUST_UNDEFINED is returned. */`
			`int tofu_get_validity (const byte fingerprint, const char user_id,`
			`int may_ask);`

			`/* Set the policy for all non-revoked user ids in the keyblock KB to`
			`POLICY. */`
			`gpg_error_t tofu_set_policy (kbnode_t kb, enum tofu_policy policy);`

			`/* Set the TOFU policy for all non-revoked users in the key with the`
			`key id KEYID to POLICY. */`
			`gpg_error_t tofu_set_policy_by_keyid (u32 *keyid, enum tofu_policy policy);`

			`/* Return the TOFU policy for the specified binding in POLICY. /`
			`gpg_error_t tofu_get_policy (PKT_public_key pk, PKT_user_id user_id,`
			`enum tofu_policy *policy);`

			`#endif`