mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
gpg: Don't take the a TOFU trust model from the trustdb,
* g10/tdbio.c (tdbio_update_version_record): Never store a TOFU model. (create_version_record): Don't init as TOFU. (tdbio_db_matches_options): Don't indicate a change in case TOFU is stored in an old trustdb file. -- This change allows to switch between a tofu and pgp or tofu+pgp trust model without an auto rebuild of the trustdb. This also requires that the tofu trust model is requested on the command line. If TOFU will ever be the default we need to tweak the model detection via TM_AUTO by also looking into the TOFU data base, GnuPG-bug-id: 4134
This commit is contained in:
parent
b6275f3bda
commit
150a33df41
@ -1724,7 +1724,8 @@ Set what trust model GnuPG should follow. The models are:
|
|||||||
@opindex trust-model:auto
|
@opindex trust-model:auto
|
||||||
Select the trust model depending on whatever the internal trust
|
Select the trust model depending on whatever the internal trust
|
||||||
database says. This is the default model if such a database already
|
database says. This is the default model if such a database already
|
||||||
exists.
|
exists. Note that a tofu trust model is not considered here and
|
||||||
|
must be enabled explicitly.
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@item --auto-key-locate @var{mechanisms}
|
@item --auto-key-locate @var{mechanisms}
|
||||||
|
29
g10/tdbio.c
29
g10/tdbio.c
@ -562,6 +562,12 @@ tdbio_update_version_record (ctrl_t ctrl)
|
|||||||
{
|
{
|
||||||
TRUSTREC rec;
|
TRUSTREC rec;
|
||||||
int rc;
|
int rc;
|
||||||
|
int opt_tm;
|
||||||
|
|
||||||
|
/* Never store a TOFU trust model in the trustdb. Use PGP instead. */
|
||||||
|
opt_tm = opt.trust_model;
|
||||||
|
if (opt_tm == TM_TOFU || opt_tm == TM_TOFU_PGP)
|
||||||
|
opt_tm = TM_PGP;
|
||||||
|
|
||||||
memset (&rec, 0, sizeof rec);
|
memset (&rec, 0, sizeof rec);
|
||||||
|
|
||||||
@ -572,7 +578,7 @@ tdbio_update_version_record (ctrl_t ctrl)
|
|||||||
rec.r.ver.marginals = opt.marginals_needed;
|
rec.r.ver.marginals = opt.marginals_needed;
|
||||||
rec.r.ver.completes = opt.completes_needed;
|
rec.r.ver.completes = opt.completes_needed;
|
||||||
rec.r.ver.cert_depth = opt.max_cert_depth;
|
rec.r.ver.cert_depth = opt.max_cert_depth;
|
||||||
rec.r.ver.trust_model = opt.trust_model;
|
rec.r.ver.trust_model = opt_tm;
|
||||||
rec.r.ver.min_cert_level = opt.min_cert_level;
|
rec.r.ver.min_cert_level = opt.min_cert_level;
|
||||||
rc = tdbio_write_record (ctrl, &rec);
|
rc = tdbio_write_record (ctrl, &rec);
|
||||||
}
|
}
|
||||||
@ -591,6 +597,12 @@ create_version_record (ctrl_t ctrl)
|
|||||||
{
|
{
|
||||||
TRUSTREC rec;
|
TRUSTREC rec;
|
||||||
int rc;
|
int rc;
|
||||||
|
int opt_tm;
|
||||||
|
|
||||||
|
/* Never store a TOFU trust model in the trustdb. Use PGP instead. */
|
||||||
|
opt_tm = opt.trust_model;
|
||||||
|
if (opt_tm == TM_TOFU || opt_tm == TM_TOFU_PGP)
|
||||||
|
opt_tm = TM_PGP;
|
||||||
|
|
||||||
memset (&rec, 0, sizeof rec);
|
memset (&rec, 0, sizeof rec);
|
||||||
rec.r.ver.version = 3;
|
rec.r.ver.version = 3;
|
||||||
@ -598,8 +610,8 @@ create_version_record (ctrl_t ctrl)
|
|||||||
rec.r.ver.marginals = opt.marginals_needed;
|
rec.r.ver.marginals = opt.marginals_needed;
|
||||||
rec.r.ver.completes = opt.completes_needed;
|
rec.r.ver.completes = opt.completes_needed;
|
||||||
rec.r.ver.cert_depth = opt.max_cert_depth;
|
rec.r.ver.cert_depth = opt.max_cert_depth;
|
||||||
if (opt.trust_model == TM_PGP || opt.trust_model == TM_CLASSIC)
|
if (opt_tm == TM_PGP || opt_tm == TM_CLASSIC)
|
||||||
rec.r.ver.trust_model = opt.trust_model;
|
rec.r.ver.trust_model = opt_tm;
|
||||||
else
|
else
|
||||||
rec.r.ver.trust_model = TM_PGP;
|
rec.r.ver.trust_model = TM_PGP;
|
||||||
rec.r.ver.min_cert_level = opt.min_cert_level;
|
rec.r.ver.min_cert_level = opt.min_cert_level;
|
||||||
@ -883,16 +895,25 @@ tdbio_db_matches_options()
|
|||||||
{
|
{
|
||||||
TRUSTREC vr;
|
TRUSTREC vr;
|
||||||
int rc;
|
int rc;
|
||||||
|
int opt_tm, tm;
|
||||||
|
|
||||||
rc = tdbio_read_record (0, &vr, RECTYPE_VER);
|
rc = tdbio_read_record (0, &vr, RECTYPE_VER);
|
||||||
if( rc )
|
if( rc )
|
||||||
log_fatal( _("%s: error reading version record: %s\n"),
|
log_fatal( _("%s: error reading version record: %s\n"),
|
||||||
db_name, gpg_strerror (rc) );
|
db_name, gpg_strerror (rc) );
|
||||||
|
|
||||||
|
/* Consider tofu and pgp the same. */
|
||||||
|
tm = vr.r.ver.trust_model;
|
||||||
|
if (tm == TM_TOFU || tm == TM_TOFU_PGP)
|
||||||
|
tm = TM_PGP;
|
||||||
|
opt_tm = opt.trust_model;
|
||||||
|
if (opt_tm == TM_TOFU || opt_tm == TM_TOFU_PGP)
|
||||||
|
opt_tm = TM_PGP;
|
||||||
|
|
||||||
yes_no = vr.r.ver.marginals == opt.marginals_needed
|
yes_no = vr.r.ver.marginals == opt.marginals_needed
|
||||||
&& vr.r.ver.completes == opt.completes_needed
|
&& vr.r.ver.completes == opt.completes_needed
|
||||||
&& vr.r.ver.cert_depth == opt.max_cert_depth
|
&& vr.r.ver.cert_depth == opt.max_cert_depth
|
||||||
&& vr.r.ver.trust_model == opt.trust_model
|
&& tm == opt_tm
|
||||||
&& vr.r.ver.min_cert_level == opt.min_cert_level;
|
&& vr.r.ver.min_cert_level == opt.min_cert_level;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user