security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-05-19 09:02:22 +02:00
Code Activity

g10: Change tofu_register & tofu_get_validity to process multiple uids.

Browse Source 
* g10/tofu.c (tofu_register): Take a list of user ids, not a single
user id.  Only register the bindings, don't compute the trust.  Thus,
change return type to an int and remove the may_ask parameter.  Update
callers.
(tofu_get_validity): Take a list of user ids, not a single user id.
Update callers.  Observe signatures made by expired user ids, but
don't include them in the trust calculation.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
This commit is contained in:
Neal H. Walfield 2016-08-29 16:16:44 +02:00
parent 33e97813d7
commit 6052c14709
3 changed files with 240 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

192
g10/tofu.c
View File

@ -2164,8 +2164,9 @@ email_from_user_id (const char *user_id)
return email; return email;
} }
/* Register the signature with the binding <fingerprint, USER_ID>. /* Register the signature with the bindings <fingerprint, USER_ID>,
The fingerprint is taken from the primary key packet PK. for each USER_ID in USER_ID_LIST. The fingerprint is taken from
the primary key packet PK.
SIG_DIGEST_BIN is the binary representation of the message's SIG_DIGEST_BIN is the binary representation of the message's
digest. SIG_DIGEST_BIN_LEN is its length. digest. SIG_DIGEST_BIN_LEN is its length.
@ -2181,62 +2182,62 @@ email_from_user_id (const char *user_id)
This is necessary if there is a conflict or the binding's policy is This is necessary if there is a conflict or the binding's policy is
TOFU_POLICY_ASK. TOFU_POLICY_ASK.
This function returns the binding's trust level on return. If an This function returns 0 on success and an error code if an error
error occurs, this function returns TRUST_UNKNOWN. */ occured. */
int gpg_error_t
tofu_register (ctrl_t ctrl, PKT_public_key *pk, const char *user_id, tofu_register (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list,
const byte *sig_digest_bin, int sig_digest_bin_len, const byte *sig_digest_bin, int sig_digest_bin_len,
time_t sig_time, const char *origin, int may_ask) time_t sig_time, const char *origin)
{ {
gpg_error_t rc;
tofu_dbs_t dbs; tofu_dbs_t dbs;
char *fingerprint = NULL; char *fingerprint = NULL;
strlist_t user_id;
char *email = NULL; char *email = NULL;
char *err = NULL; char *err = NULL;
int rc;
int trust_level = TRUST_UNKNOWN;
char *sig_digest; char *sig_digest;
unsigned long c; unsigned long c;
int already_verified = 0;
sig_digest = make_radix64_string (sig_digest_bin, sig_digest_bin_len);
dbs = opendbs (ctrl); dbs = opendbs (ctrl);
if (! dbs) if (! dbs)
{ {
rc = gpg_error (GPG_ERR_GENERAL);
log_error (_("error opening TOFU database: %s\n"), log_error (_("error opening TOFU database: %s\n"),
gpg_strerror (GPG_ERR_GENERAL)); gpg_strerror (rc));
goto die; return rc;
}
fingerprint = hexfingerprint (pk, NULL, 0);
if (! *user_id)
{
log_debug ("TOFU: user id is empty. Can't continue.\n");
goto die;
}
email = email_from_user_id (user_id);
if (! origin)
/* The default origin is simply "unknown". */
origin = "unknown";
/* It's necessary to get the trust so that we are certain that the
binding has been registered. */
trust_level = get_trust (dbs, pk, fingerprint, email, user_id, may_ask);
if (trust_level == _tofu_GET_TRUST_ERROR)
/* An error. */
{
trust_level = TRUST_UNKNOWN;
goto die;
} }
/* We do a query and then an insert. Make sure they are atomic /* We do a query and then an insert. Make sure they are atomic
by wrapping them in a transaction. */ by wrapping them in a transaction. */
rc = begin_transaction (ctrl, 0); rc = begin_transaction (ctrl, 0);
if (rc) if (rc)
goto die; return rc;
sig_digest = make_radix64_string (sig_digest_bin, sig_digest_bin_len);
fingerprint = hexfingerprint (pk, NULL, 0);
if (! origin)
/* The default origin is simply "unknown". */
origin = "unknown";
for (user_id = user_id_list; user_id; user_id = user_id->next)
{
email = email_from_user_id (user_id->d);
if (DBG_TRUST)
log_debug ("TOFU: Registering signature %s with binding"
" <key: %s, user id: %s>\n",
sig_digest, fingerprint, email);
/* Make sure the binding exists and record any TOFU
conflicts. */
if (get_trust (dbs, pk, fingerprint, email, user_id->d, 0)
== _tofu_GET_TRUST_ERROR)
{
rc = gpg_error (GPG_ERR_GENERAL);
xfree (email);
break;
}
/* If we've already seen this signature before, then don't add /* If we've already seen this signature before, then don't add
it again. */ it again. */
@ -2263,16 +2264,17 @@ tofu_register (ctrl_t ctrl, PKT_public_key *pk, const char *user_id,
because <fingerprint, email, sig_time, sig_digest> is the because <fingerprint, email, sig_time, sig_digest> is the
primary key! */ primary key! */
log_debug ("SIGNATURES DB contains duplicate records" log_debug ("SIGNATURES DB contains duplicate records"
" <%s, %s, 0x%lx, %s, %s>." " <key: %s, fingerprint: %s, time: 0x%lx, sig: %s,"
" origin: %s>."
" Please report.\n", " Please report.\n",
fingerprint, email, (unsigned long) sig_time, fingerprint, email, (unsigned long) sig_time,
sig_digest, origin); sig_digest, origin);
else if (c == 1) else if (c == 1)
{ {
already_verified = 1;
if (DBG_TRUST) if (DBG_TRUST)
log_debug ("Already observed the signature" log_debug ("Already observed the signature and binding"
" <%s, %s, 0x%lx, %s, %s>\n", " <key: %s, user id: %s, time: 0x%lx, sig: %s,"
" origin: %s>\n",
fingerprint, email, (unsigned long) sig_time, fingerprint, email, (unsigned long) sig_time,
sig_digest, origin); sig_digest, origin);
} }
@ -2281,11 +2283,12 @@ tofu_register (ctrl_t ctrl, PKT_public_key *pk, const char *user_id,
log_info ("TOFU database update skipped due to --dry-run\n"); log_info ("TOFU database update skipped due to --dry-run\n");
} }
else else
/* This is the first time that we've seen this signature. /* This is the first time that we've seen this signature and
Record it. */ binding. Record it. */
{ {
if (DBG_TRUST) if (DBG_TRUST)
log_debug ("TOFU: Saving signature <%s, %s, %s>\n", log_debug ("TOFU: Saving signature"
" <key: %s, user id: %s, sig: %s>\n",
fingerprint, email, sig_digest); fingerprint, email, sig_digest);
log_assert (c == 0); log_assert (c == 0);
@ -2310,30 +2313,21 @@ tofu_register (ctrl_t ctrl, PKT_public_key *pk, const char *user_id,
} }
} }
/* It only matters whether we abort or commit the transaction xfree (email);
(so long as we do something) if we execute the insert. */
if (rc) if (rc)
rc = rollback_transaction (ctrl); break;
else
rc = end_transaction (ctrl, 0);
if (rc)
{
sqlite3_free (err);
goto die;
} }
die: if (rc)
if (may_ask && trust_level != TRUST_ULTIMATE) rollback_transaction (ctrl);
/* It's only appropriate to show the statistics in an interactive else
context. */ rc = end_transaction (ctrl, 0);
show_statistics (dbs, fingerprint, email, user_id,
already_verified ? NULL : sig_digest, NULL);
xfree (email);
xfree (fingerprint); xfree (fingerprint);
xfree (sig_digest); xfree (sig_digest);
return trust_level; return rc;
} }
/* Combine a trust level returned from the TOFU trust model with a /* Combine a trust level returned from the TOFU trust model with a
@ -2431,8 +2425,9 @@ tofu_write_tfs_record (ctrl_t ctrl, estream_t fp,
} }
/* Return the validity (TRUST_NEVER, etc.) of the binding /* Return the validity (TRUST_NEVER, etc.) of the bindings
<FINGERPRINT, USER_ID>. <FINGERPRINT, USER_ID>, for each USER_ID in USER_ID_LIST. If
USER_ID_LIST->FLAG is set, then the id is considered to be expired.
PK is the primary key packet. PK is the primary key packet.
@ -2442,43 +2437,80 @@ tofu_write_tfs_record (ctrl_t ctrl, estream_t fp,
Returns TRUST_UNDEFINED if an error occurs. */ Returns TRUST_UNDEFINED if an error occurs. */
int int
tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, const char *user_id, tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list,
int may_ask) int may_ask)
{ {
tofu_dbs_t dbs; tofu_dbs_t dbs;
char *fingerprint = NULL; char *fingerprint = NULL;
char *email = NULL; strlist_t user_id;
int trust_level = TRUST_UNDEFINED; int trust_level = TRUST_UNKNOWN;
dbs = opendbs (ctrl); dbs = opendbs (ctrl);
if (! dbs) if (! dbs)
{ {
log_error (_("error opening TOFU database: %s\n"), log_error (_("error opening TOFU database: %s\n"),
gpg_strerror (GPG_ERR_GENERAL)); gpg_strerror (GPG_ERR_GENERAL));
goto die; return TRUST_UNDEFINED;
} }
fingerprint = hexfingerprint (pk, NULL, 0); fingerprint = hexfingerprint (pk, NULL, 0);
if (! *user_id) begin_transaction (ctrl, 0);
for (user_id = user_id_list; user_id; user_id = user_id->next)
{ {
log_debug ("user id is empty." char *email = email_from_user_id (user_id->d);
" Can't get TOFU validity for this binding.\n");
/* Always call get_trust to make sure the binding is
registered. */
int tl = get_trust (dbs, pk, fingerprint, email, user_id->d, may_ask);
if (tl == _tofu_GET_TRUST_ERROR)
{
/* An error. */
trust_level = TRUST_UNDEFINED;
xfree (email);
goto die; goto die;
} }
email = email_from_user_id (user_id); if (DBG_TRUST)
log_debug ("TOFU: validity for <key: %s, user id: %s>: %s%s.\n",
fingerprint, email,
trust_value_to_string (tl),
user_id->flags ? " (but expired)" : "");
trust_level = get_trust (dbs, pk, fingerprint, email, user_id, may_ask); if (user_id->flags)
if (trust_level == _tofu_GET_TRUST_ERROR) tl = TRUST_EXPIRED;
/* An error. */
trust_level = TRUST_UNDEFINED;
if (may_ask && trust_level != TRUST_ULTIMATE) if (may_ask && tl != TRUST_ULTIMATE && tl != TRUST_EXPIRED)
show_statistics (dbs, fingerprint, email, user_id, NULL, NULL); show_statistics (dbs, fingerprint, email, user_id->d, NULL, NULL);
if (tl == TRUST_NEVER)
trust_level = TRUST_NEVER;
else if (tl == TRUST_EXPIRED)
/* Ignore expired bindings in the trust calculation. */
;
else if (tl > trust_level)
{
/* The expected values: */
log_assert (tl == TRUST_UNKNOWN || tl == TRUST_UNDEFINED
|| tl == TRUST_MARGINAL || tl == TRUST_FULLY
|| tl == TRUST_ULTIMATE);
/* We assume the following ordering: */
log_assert (TRUST_UNKNOWN < TRUST_UNDEFINED);
log_assert (TRUST_UNDEFINED < TRUST_MARGINAL);
log_assert (TRUST_MARGINAL < TRUST_FULLY);
log_assert (TRUST_FULLY < TRUST_ULTIMATE);
trust_level = tl;
}
xfree (email);
}
die: die:
xfree (email); end_transaction (ctrl, 0);
xfree (fingerprint); xfree (fingerprint);
return trust_level; return trust_level;
} }

36
g10/tofu.h
View File

@ -59,7 +59,7 @@ enum tofu_policy
TOFU_POLICY_ASK = 5, TOFU_POLICY_ASK = 5,
/* Privat evalue used only within tofu.c. */ /* Private value used only within tofu.c. */
_tofu_GET_POLICY_ERROR = 100 _tofu_GET_POLICY_ERROR = 100
}; };
@ -72,16 +72,19 @@ const char *tofu_policy_str (enum tofu_policy policy);
(e.g., TRUST_BAD) in light of the current configuration. */ (e.g., TRUST_BAD) in light of the current configuration. */
int tofu_policy_to_trust_level (enum tofu_policy policy); int tofu_policy_to_trust_level (enum tofu_policy policy);
/* Register the binding <PK, USER_ID> and the signature /* Register the bindings <PK, USER_ID>, for each USER_ID in
described by SIGS_DIGEST and SIG_TIME, which it generated. Origin USER_ID_LIST, and the signature described by SIGS_DIGEST and
describes where the signed data came from, e.g., "email:claws" SIG_TIME, which it generated. Origin describes where the signed
(default: "unknown"). If MAY_ASK is 1, then this function may data came from, e.g., "email:claws" (default: "unknown"). Note:
interact with the user in the case of a conflict or if the this function does not interact with the user, If there is a
binding's policy is ask. This function returns the binding's trust conflict, or if the binding's policy is ask, the actual interaction
level. If an error occurs, it returns TRUST_UNKNOWN. */ is deferred until tofu_get_validity is called.. Set the string
int tofu_register (ctrl_t ctrl, PKT_public_key *pk, const char *user_id, list FLAG to indicate that a specified user id is expired. This
function returns 0 on success and an error code on failure. */
gpg_error_t tofu_register (ctrl_t ctrl, PKT_public_key *pk,
strlist_t user_id_list,
const byte *sigs_digest, int sigs_digest_len, const byte *sigs_digest, int sigs_digest_len,
time_t sig_time, const char *origin, int may_ask); time_t sig_time, const char *origin);
/* Combine a trust level returned from the TOFU trust model with a /* Combine a trust level returned from the TOFU trust model with a
trust level returned by the PGP trust model. This is primarily of trust level returned by the PGP trust model. This is primarily of
@ -92,12 +95,15 @@ int tofu_wot_trust_combine (int tofu, int wot);
gpg_error_t tofu_write_tfs_record (ctrl_t ctrl, estream_t fp, gpg_error_t tofu_write_tfs_record (ctrl_t ctrl, estream_t fp,
PKT_public_key *pk, const char *user_id); PKT_public_key *pk, const char *user_id);
/* Determine the validity (TRUST_NEVER, etc.) of the binding /* Determine the validity (TRUST_NEVER, etc.) of the binding <PK,
<PK, USER_ID>. If MAY_ASK is 1, then this function may USER_ID>. If MAY_ASK is 1, then this function may interact with
interact with the user. If not, TRUST_UNKNOWN is returned. If an the user. If not, TRUST_UNKNOWN is returned if an interaction is
error occurs, TRUST_UNDEFINED is returned. */ required. Set the string list FLAGS to indicate that a specified
user id is expired. If an error occurs, TRUST_UNDEFINED is
returned. */
int tofu_get_validity (ctrl_t ctrl, int tofu_get_validity (ctrl_t ctrl,
PKT_public_key *pk, const char *user_id, int may_ask); PKT_public_key *pk, strlist_t user_id_list,
int may_ask);
/* Set the policy for all non-revoked user ids in the keyblock KB to /* Set the policy for all non-revoked user ids in the keyblock KB to
POLICY. */ POLICY. */

79
g10/trustdb.c
View File

@ -988,7 +988,7 @@ tdb_get_validity_core (ctrl_t ctrl,
int may_ask) int may_ask)
{ {
TRUSTREC trec, vrec; TRUSTREC trec, vrec;
gpg_error_t err; gpg_error_t err = 0;
ulong recno; ulong recno;
#ifdef USE_TOFU #ifdef USE_TOFU
unsigned int tofu_validity = TRUST_UNKNOWN; unsigned int tofu_validity = TRUST_UNKNOWN;
@ -1022,21 +1022,18 @@ tdb_get_validity_core (ctrl_t ctrl,
#ifdef USE_TOFU #ifdef USE_TOFU
if (opt.trust_model == TM_TOFU || opt.trust_model == TM_TOFU_PGP) if (opt.trust_model == TM_TOFU || opt.trust_model == TM_TOFU_PGP)
{ {
kbnode_t user_id_node = NULL; kbnode_t kb = NULL;
kbnode_t n = NULL; /* Silence -Wmaybe-uninitialized. */ kbnode_t n = NULL;
int user_ids = 0; strlist_t user_id_list = NULL;
int user_ids_expired = 0;
/* If the caller didn't supply a user id then iterate over all /* If the caller didn't supply a user id then use all uids. */
uids. */
if (! uid) if (! uid)
user_id_node = n = get_pubkeyblock (main_pk->keyid); kb = n = get_pubkeyblock (main_pk->keyid);
while (uid while (uid || (n = find_next_kbnode (n, PKT_USER_ID)))
|| (n = find_next_kbnode (n, PKT_USER_ID)))
{ {
unsigned int tl;
PKT_user_id *user_id; PKT_user_id *user_id;
int expired = 0;
if (uid) if (uid)
user_id = uid; user_id = uid;
@ -1060,42 +1057,48 @@ tdb_get_validity_core (ctrl_t ctrl,
s, user_id->name); s, user_id->name);
} }
if (user_id->is_revoked)
continue; continue;
expired = 1;
} }
user_ids ++; add_to_strlist (&user_id_list, user_id->name);
user_id_list->flags = expired;
if (sig)
tl = tofu_register (ctrl, main_pk, user_id->name,
sig->digest, sig->digest_len,
sig->timestamp, "unknown",
may_ask);
else
tl = tofu_get_validity (ctrl, main_pk, user_id->name, may_ask);
if (tl == TRUST_EXPIRED)
user_ids_expired ++;
else if (tl == TRUST_UNDEFINED || tl == TRUST_UNKNOWN)
;
else if (tl == TRUST_NEVER)
tofu_validity = TRUST_NEVER;
else
{
log_assert (tl == TRUST_MARGINAL
|| tl == TRUST_FULLY
|| tl == TRUST_ULTIMATE);
if (tl > tofu_validity)
/* XXX: We we really want the max? */
tofu_validity = tl;
}
if (uid) if (uid)
/* If the caller specified a user id, then we stop /* If the caller specified a user id, then we stop
now. */ now. */
break; break;
} }
release_kbnode (user_id_node);
/* Process the user ids in the order they appear in the key
block. */
strlist_rev (&user_id_list);
/* It only makes sense to observe any signature before getting
the validity. This is because if the current signature
results in a conflict, then we damn well want to take that
into account. */
if (sig)
{
err = tofu_register (ctrl, main_pk, user_id_list,
sig->digest, sig->digest_len,
sig->timestamp, "unknown");
if (err)
{
log_error ("TOFU: error registering signature: %s\n",
gpg_strerror (err));
tofu_validity = TRUST_UNKNOWN;
}
}
if (! err)
tofu_validity = tofu_get_validity (ctrl, main_pk, user_id_list,
may_ask);
free_strlist (user_id_list);
release_kbnode (kb);
} }
#endif /*USE_TOFU*/ #endif /*USE_TOFU*/