security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-17 15:44:34 +02:00
Code Activity

gpg: Don't store formatting fingerprints in the TOFU DB.

Browse Source 
* g10/tofu.c (fingerprint_pp): Split this function into...
(fingerprint_str): ... this function...
(fingerprint_format): ... and this function.
(record_binding): Store the unformatted fingerprint in the DB.  Only
use the formatting fingerprint when displaying a message to the user.
(get_trust): Likewise.
(show_statistics): Likewise.
(tofu_register): Likewise.
(tofu_get_validity): Likewise.
(tofu_set_policy): Likewise.
(tofu_get_policy): Likewise.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
This commit is contained in:
Neal H. Walfield 2015-11-03 15:43:03 +01:00
parent 06f3eadb22
commit 8ae3946d28
1 changed files with 100 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

177
g10/tofu.c
View File

@ -167,9 +167,56 @@ tofu_cache_dump (struct db *db)
# define TIME_AGO_UNIT_LARGE_NAME _("month") # define TIME_AGO_UNIT_LARGE_NAME _("month")
# define TIME_AGO_UNIT_LARGE_NAME_PLURAL _("months") # define TIME_AGO_UNIT_LARGE_NAME_PLURAL _("months")
#endif #endif
static char *
fingerprint_str (const byte *fingerprint_bin)
{
char *fingerprint = bin2hex (fingerprint_bin, MAX_FINGERPRINT_LEN, NULL);
if (! fingerprint)
log_fatal ("Out of memory.\n");
return fingerprint;
}
/* Pretty print a MAX_FINGERPRINT_LEN-byte binary fingerprint into a
malloc'd string. */
static char *
fingerprint_format (const byte *fingerprint)
{
char *fingerprint_pretty;
int space = (/* The characters and the NUL. */
2 * MAX_FINGERPRINT_LEN + 1
/* After every fourth character, we add a space (except
the last). */
+ 2 * MAX_FINGERPRINT_LEN / 4 - 1
/* Half way through we add a second space. */
+ 1);
int i;
int j;
if (strlen (fingerprint) != 2 * MAX_FINGERPRINT_LEN)
{
log_info (_("Fingerprint with unexpected length (%zd chars)\n"),
strlen (fingerprint));
return xstrdup (fingerprint);
}
fingerprint_pretty = xmalloc (space);
for (i = 0, j = 0; i < MAX_FINGERPRINT_LEN * 2; i ++)
{
if (i && i % 4 == 0)
fingerprint_pretty[j ++] = ' ';
if (i == MAX_FINGERPRINT_LEN * 2 / 2)
fingerprint_pretty[j ++] = ' ';
fingerprint_pretty[j ++] = fingerprint[i];
}
fingerprint_pretty[j ++] = 0;
assert (j == space);
return fingerprint_pretty;
}
const char * const char *
tofu_policy_str (enum tofu_policy policy) tofu_policy_str (enum tofu_policy policy)
{ {
@ -1074,6 +1121,7 @@ static gpg_error_t
record_binding (struct dbs *dbs, const char *fingerprint, const char *email, record_binding (struct dbs *dbs, const char *fingerprint, const char *email,
const char *user_id, enum tofu_policy policy, int show_old) const char *user_id, enum tofu_policy policy, int show_old)
{ {
char *fingerprint_pp = fingerprint_format (fingerprint);
struct db *db_email = NULL, *db_key = NULL; struct db *db_email = NULL, *db_key = NULL;
int rc; int rc;
char *err = NULL; char *err = NULL;
@ -1132,7 +1180,7 @@ record_binding (struct dbs *dbs, const char *fingerprint, const char *email,
{ {
log_debug ("TOFU: Error reading from binding database" log_debug ("TOFU: Error reading from binding database"
" (reading policy for <%s, %s>): %s\n", " (reading policy for <%s, %s>): %s\n",
fingerprint, email, err); fingerprint_pp, email, err);
sqlite3_free (err); sqlite3_free (err);
} }
} }
@ -1142,12 +1190,12 @@ record_binding (struct dbs *dbs, const char *fingerprint, const char *email,
if (policy_old != TOFU_POLICY_NONE) if (policy_old != TOFU_POLICY_NONE)
log_debug ("Changing TOFU trust policy for binding <%s, %s>" log_debug ("Changing TOFU trust policy for binding <%s, %s>"
" from %s to %s.\n", " from %s to %s.\n",
fingerprint, email, fingerprint_pp, email,
tofu_policy_str (policy_old), tofu_policy_str (policy_old),
tofu_policy_str (policy)); tofu_policy_str (policy));
else else
log_debug ("Set TOFU trust policy for binding <%s, %s> to %s.\n", log_debug ("Set TOFU trust policy for binding <%s, %s> to %s.\n",
fingerprint, email, fingerprint_pp, email,
tofu_policy_str (policy)); tofu_policy_str (policy));
} }
@ -1173,7 +1221,7 @@ record_binding (struct dbs *dbs, const char *fingerprint, const char *email,
{ {
log_error (_("error updating TOFU binding database" log_error (_("error updating TOFU binding database"
" (inserting <%s, %s> = %s): %s\n"), " (inserting <%s, %s> = %s): %s\n"),
fingerprint, email, tofu_policy_str (policy), fingerprint_pp, email, tofu_policy_str (policy),
err); err);
sqlite3_free (err); sqlite3_free (err);
goto out; goto out;
@ -1201,7 +1249,7 @@ record_binding (struct dbs *dbs, const char *fingerprint, const char *email,
{ {
log_error (_("error updating TOFU binding database" log_error (_("error updating TOFU binding database"
" (inserting <%s, %s>): %s\n"), " (inserting <%s, %s>): %s\n"),
fingerprint, email, err); fingerprint_pp, email, err);
sqlite3_free (err); sqlite3_free (err);
goto out; goto out;
} }
@ -1239,6 +1287,8 @@ record_binding (struct dbs *dbs, const char *fingerprint, const char *email,
} }
} }
xfree (fingerprint_pp);
if (rc) if (rc)
return gpg_error (GPG_ERR_GENERAL); return gpg_error (GPG_ERR_GENERAL);
return 0; return 0;
@ -1568,6 +1618,7 @@ static enum tofu_policy
get_trust (struct dbs *dbs, const char *fingerprint, const char *email, get_trust (struct dbs *dbs, const char *fingerprint, const char *email,
const char *user_id, int may_ask) const char *user_id, int may_ask)
{ {
char *fingerprint_pp;
struct db *db; struct db *db;
enum tofu_policy policy; enum tofu_policy policy;
char *conflict = NULL; char *conflict = NULL;
@ -1595,38 +1646,33 @@ get_trust (struct dbs *dbs, const char *fingerprint, const char *email,
if (! db) if (! db)
return _tofu_GET_TRUST_ERROR; return _tofu_GET_TRUST_ERROR;
fingerprint_pp = fingerprint_format (fingerprint);
policy = get_policy (dbs, fingerprint, email, &conflict); policy = get_policy (dbs, fingerprint, email, &conflict);
if (policy == TOFU_POLICY_AUTO || policy == TOFU_POLICY_NONE) if (policy == TOFU_POLICY_AUTO || policy == TOFU_POLICY_NONE)
/* See if the key is ultimately trusted. If so, we're done. */ /* See if the key is ultimately trusted. If so, we're done. */
{ {
int i, j; const char *keyid;
char keyid[17];
KEYDB_SEARCH_DESC desc; KEYDB_SEARCH_DESC desc;
/* We need to convert the fingerprint as a string to a long /* We need to convert the fingerprint as a string to a long
keyid. keyid.
FINGERPRINT has the form: FINGERPRINT is stored as follows:
362D 3527 F53A AD19 71AA FDE6 5885 9975 EE37 CF96 362D3527F53AAD1971AAFDE658859975EE37CF96
------------------- -------------------
The last 16 characters are the long keyid. The last 16 characters are the long keyid.
*/ */
assert (strlen (fingerprint) > 4 * 4 + 3); assert (strlen (fingerprint) > 4 * 4);
for (i = strlen (fingerprint) - (4 * 4 + 3), j = 0; j < 16; i ++, j ++) keyid = &fingerprint[strlen (fingerprint) - 16];
{
if (fingerprint[i] == ' ')
i ++;
keyid[j] = fingerprint[i];
}
keyid[j] = 0;
rc = classify_user_id (keyid, &desc, 1); rc = classify_user_id (keyid, &desc, 1);
if (rc || desc.mode != KEYDB_SEARCH_MODE_LONG_KID) if (rc || desc.mode != KEYDB_SEARCH_MODE_LONG_KID)
{ {
log_error (_("'%s' is not a valid long keyID\n"), keyid); log_error (_("'%s' is not a valid long keyID\n"), keyid);
return _tofu_GET_TRUST_ERROR; goto out;
} }
if (tdb_keyid_is_utk (desc.u.kid)) if (tdb_keyid_is_utk (desc.u.kid))
@ -1653,7 +1699,7 @@ get_trust (struct dbs *dbs, const char *fingerprint, const char *email,
policy = opt.tofu_default_policy; policy = opt.tofu_default_policy;
if (DBG_TRUST) if (DBG_TRUST)
log_debug ("TOFU: binding <%s, %s>'s policy is auto (default: %s).\n", log_debug ("TOFU: binding <%s, %s>'s policy is auto (default: %s).\n",
fingerprint, email, fingerprint_pp, email,
tofu_policy_str (opt.tofu_default_policy)); tofu_policy_str (opt.tofu_default_policy));
} }
switch (policy) switch (policy)
@ -1666,7 +1712,7 @@ get_trust (struct dbs *dbs, const char *fingerprint, const char *email,
We don't need to ask the user anything. */ We don't need to ask the user anything. */
if (DBG_TRUST) if (DBG_TRUST)
log_debug ("TOFU: Known binding <%s, %s>'s policy: %s\n", log_debug ("TOFU: Known binding <%s, %s>'s policy: %s\n",
fingerprint, email, tofu_policy_str (policy)); fingerprint_pp, email, tofu_policy_str (policy));
trust_level = tofu_policy_to_trust_level (policy); trust_level = tofu_policy_to_trust_level (policy);
goto out; goto out;
@ -1745,7 +1791,7 @@ get_trust (struct dbs *dbs, const char *fingerprint, const char *email,
if (DBG_TRUST) if (DBG_TRUST)
log_debug ("TOFU: New binding <%s, %s>, no conflict.\n", log_debug ("TOFU: New binding <%s, %s>, no conflict.\n",
email, fingerprint); email, fingerprint_pp);
if (record_binding (dbs, fingerprint, email, user_id, if (record_binding (dbs, fingerprint, email, user_id,
TOFU_POLICY_AUTO, 0) != 0) TOFU_POLICY_AUTO, 0) != 0)
@ -1814,7 +1860,7 @@ get_trust (struct dbs *dbs, const char *fingerprint, const char *email,
if (! fp) if (! fp)
log_fatal ("Error creating memory stream\n"); log_fatal ("Error creating memory stream\n");
binding = xasprintf ("<%s, %s>", fingerprint, email); binding = xasprintf ("<%s, %s>", fingerprint_pp, email);
binding_shown = 0; binding_shown = 0;
if (policy == TOFU_POLICY_NONE) if (policy == TOFU_POLICY_NONE)
@ -1827,11 +1873,13 @@ get_trust (struct dbs *dbs, const char *fingerprint, const char *email,
display this message. */ display this message. */
&& conflict && strcmp (conflict, fingerprint) != 0) && conflict && strcmp (conflict, fingerprint) != 0)
{ {
char *conflict_pp = fingerprint_format (conflict);
es_fprintf (fp, es_fprintf (fp,
_("The key %s raised a conflict with this binding (%s)." _("The key %s raised a conflict with this binding (%s)."
" Since this binding's policy was 'auto', it was" " Since this binding's policy was 'auto', it was"
"changed to 'ask'. "), "changed to 'ask'. "),
conflict, binding); conflict_pp, binding);
xfree (conflict_pp);
binding_shown = 1; binding_shown = 1;
} }
es_fprintf (fp, es_fprintf (fp,
@ -1979,13 +2027,16 @@ get_trust (struct dbs *dbs, const char *fingerprint, const char *email,
if (! key || strcmp (key, stats_iter->fingerprint) != 0) if (! key || strcmp (key, stats_iter->fingerprint) != 0)
{ {
int this_key; int this_key;
char *key_pp;
key = stats_iter->fingerprint; key = stats_iter->fingerprint;
this_key = strcmp (key, fingerprint) == 0; this_key = strcmp (key, fingerprint) == 0;
key_pp = fingerprint_format (key);
if (this_key) if (this_key)
es_fprintf (fp, _(" %s (this key):"), key); es_fprintf (fp, _(" %s (this key):"), key_pp);
else else
es_fprintf (fp, _(" %s (policy: %s):"), es_fprintf (fp, _(" %s (policy: %s):"),
key, tofu_policy_str (stats_iter->policy)); key_pp, tofu_policy_str (stats_iter->policy));
xfree (key_pp);
es_fprintf (fp, "\n"); es_fprintf (fp, "\n");
} }
@ -2128,6 +2179,7 @@ get_trust (struct dbs *dbs, const char *fingerprint, const char *email,
xfree (conflict); xfree (conflict);
free_strlist (bindings_with_this_email); free_strlist (bindings_with_this_email);
xfree (fingerprint_pp);
return trust_level; return trust_level;
} }
@ -2138,6 +2190,7 @@ show_statistics (struct dbs *dbs, const char *fingerprint,
const char *sig_exclude) const char *sig_exclude)
{ {
struct db *db; struct db *db;
char *fingerprint_pp;
int rc; int rc;
strlist_t strlist = NULL; strlist_t strlist = NULL;
char *err = NULL; char *err = NULL;
@ -2146,6 +2199,8 @@ show_statistics (struct dbs *dbs, const char *fingerprint,
if (! db) if (! db)
return; return;
fingerprint_pp = fingerprint_format (fingerprint);
rc = sqlite3_exec_printf rc = sqlite3_exec_printf
(db->db, strings_collect_cb, &strlist, &err, (db->db, strings_collect_cb, &strlist, &err,
"select count (*), strftime('%%s','now') - min (signatures.time)\n" "select count (*), strftime('%%s','now') - min (signatures.time)\n"
@ -2169,7 +2224,7 @@ show_statistics (struct dbs *dbs, const char *fingerprint,
if (! strlist) if (! strlist)
log_info (_("Have never verified a message signed by key %s!\n"), log_info (_("Have never verified a message signed by key %s!\n"),
fingerprint); fingerprint_pp);
else else
{ {
char *tail = NULL; char *tail = NULL;
@ -2206,8 +2261,8 @@ show_statistics (struct dbs *dbs, const char *fingerprint,
} }
if (messages == -1 || first_seen_ago == 0) if (messages == -1 || first_seen_ago == 0)
log_info (_("Failed to collect signature statistics for \"%s\" (key %s)\n"), log_info (_("Failed to collect signature statistics for \"%s\" (key %s)\n"),
user_id, fingerprint); user_id, fingerprint_pp);
else else
{ {
enum tofu_policy policy = get_policy (dbs, fingerprint, email, NULL); enum tofu_policy policy = get_policy (dbs, fingerprint, email, NULL);
@ -2219,10 +2274,10 @@ show_statistics (struct dbs *dbs, const char *fingerprint,
log_fatal ("error creating memory stream\n"); log_fatal ("error creating memory stream\n");
if (messages == 0) if (messages == 0)
es_fprintf (fp, es_fprintf (fp,
_("Verified 0 messages signed by \"%s\"" _("Verified 0 messages signed by \"%s\""
" (key: %s, policy %s)."), " (key: %s, policy %s)."),
user_id, fingerprint, tofu_policy_str (policy)); user_id, fingerprint_pp, tofu_policy_str (policy));
else else
{ {
int years = 0; int years = 0;
@ -2244,7 +2299,7 @@ show_statistics (struct dbs *dbs, const char *fingerprint,
_("Verified %ld messages signed by \"%s\"" _("Verified %ld messages signed by \"%s\""
" (key: %s, policy: %s) in the past "), " (key: %s, policy: %s) in the past "),
messages, user_id, messages, user_id,
fingerprint, tofu_policy_str (policy)); fingerprint_pp, tofu_policy_str (policy));
/* It would be nice to use a macro to do this, but gettext /* It would be nice to use a macro to do this, but gettext
works on the unpreprocessed code. */ works on the unpreprocessed code. */
@ -2402,6 +2457,7 @@ show_statistics (struct dbs *dbs, const char *fingerprint,
out: out:
free_strlist (strlist); free_strlist (strlist);
xfree (fingerprint_pp);
return; return;
} }
@ -2422,42 +2478,6 @@ email_from_user_id (const char *user_id)
return email; return email;
} }
/* Pretty print a MAX_FINGERPRINT_LEN-byte binary fingerprint into a
malloc'd string. */
static char *
fingerprint_pp (const byte *fingerprint_bin)
{
char fingerprint[MAX_FINGERPRINT_LEN * 2 + 1];
char *fingerprint_pretty;
int space = (/* The characters and the NUL. */
sizeof (fingerprint)
/* After every fourth character, we add a space (except
the last). */
+ (sizeof (fingerprint) - 1) / 4 - 1
/* Half way through we add a second space. */
+ 1);
int i;
int j;
bin2hex (fingerprint_bin, MAX_FINGERPRINT_LEN, fingerprint);
fingerprint_pretty = xmalloc (space);
for (i = 0, j = 0; i < MAX_FINGERPRINT_LEN * 2; i ++)
{
if (i && i % 4 == 0)
fingerprint_pretty[j ++] = ' ';
if (i == MAX_FINGERPRINT_LEN * 2 / 2)
fingerprint_pretty[j ++] = ' ';
fingerprint_pretty[j ++] = fingerprint[i];
}
fingerprint_pretty[j ++] = 0;
assert (j == space);
return fingerprint_pretty;
}
/* Register the signature with the binding <FINGERPRINT_BIN, USER_ID>. /* Register the signature with the binding <FINGERPRINT_BIN, USER_ID>.
FINGERPRINT must be MAX_FINGERPRINT_LEN bytes long. FINGERPRINT must be MAX_FINGERPRINT_LEN bytes long.
@ -2485,6 +2505,7 @@ tofu_register (const byte *fingerprint_bin, const char *user_id,
struct dbs *dbs; struct dbs *dbs;
struct db *db; struct db *db;
char *fingerprint = NULL; char *fingerprint = NULL;
char *fingerprint_pp = NULL;
char *email = NULL; char *email = NULL;
char *err = NULL; char *err = NULL;
int rc; int rc;
@ -2502,7 +2523,8 @@ tofu_register (const byte *fingerprint_bin, const char *user_id,
goto die; goto die;
} }
fingerprint = fingerprint_pp (fingerprint_bin); fingerprint = fingerprint_str (fingerprint_bin);
fingerprint_pp = fingerprint_format (fingerprint);
if (! *user_id) if (! *user_id)
{ {
@ -2568,7 +2590,7 @@ tofu_register (const byte *fingerprint_bin, const char *user_id,
log_debug ("SIGNATURES DB contains duplicate records" log_debug ("SIGNATURES DB contains duplicate records"
" <key: %s, %s, time: 0x%lx, sig: %s, %s>." " <key: %s, %s, time: 0x%lx, sig: %s, %s>."
" Please report.\n", " Please report.\n",
fingerprint, email, (unsigned long) sig_time, fingerprint_pp, email, (unsigned long) sig_time,
sig_digest, origin); sig_digest, origin);
else if (c == 1) else if (c == 1)
{ {
@ -2576,7 +2598,7 @@ tofu_register (const byte *fingerprint_bin, const char *user_id,
if (DBG_TRUST) if (DBG_TRUST)
log_debug ("Already observed the signature" log_debug ("Already observed the signature"
" <key: %s, %s, time: 0x%lx, sig: %s, %s>\n", " <key: %s, %s, time: 0x%lx, sig: %s, %s>\n",
fingerprint, email, (unsigned long) sig_time, fingerprint_pp, email, (unsigned long) sig_time,
sig_digest, origin); sig_digest, origin);
} }
else else
@ -2585,7 +2607,7 @@ tofu_register (const byte *fingerprint_bin, const char *user_id,
{ {
if (DBG_TRUST) if (DBG_TRUST)
log_debug ("TOFU: Saving signature <%s, %s, %s>\n", log_debug ("TOFU: Saving signature <%s, %s, %s>\n",
fingerprint, email, sig_digest); fingerprint_pp, email, sig_digest);
assert (c == 0); assert (c == 0);
@ -2631,6 +2653,7 @@ tofu_register (const byte *fingerprint_bin, const char *user_id,
already_verified ? NULL : sig_digest); already_verified ? NULL : sig_digest);
xfree (email); xfree (email);
xfree (fingerprint_pp);
xfree (fingerprint); xfree (fingerprint);
if (dbs) if (dbs)
closedbs (dbs); closedbs (dbs);
@ -2715,7 +2738,7 @@ tofu_get_validity (const byte *fingerprint_bin, const char *user_id,
goto die; goto die;
} }
fingerprint = fingerprint_pp (fingerprint_bin); fingerprint = fingerprint_str (fingerprint_bin);
if (! *user_id) if (! *user_id)
{ {
@ -2778,7 +2801,7 @@ tofu_set_policy (kbnode_t kb, enum tofu_policy policy)
fingerprint_from_pk (pk, fingerprint_bin, &fingerprint_bin_len); fingerprint_from_pk (pk, fingerprint_bin, &fingerprint_bin_len);
assert (fingerprint_bin_len == sizeof (fingerprint_bin)); assert (fingerprint_bin_len == sizeof (fingerprint_bin));
fingerprint = fingerprint_pp (fingerprint_bin); fingerprint = fingerprint_str (fingerprint_bin);
for (; kb; kb = kb->next) for (; kb; kb = kb->next)
{ {
@ -2855,7 +2878,7 @@ tofu_get_policy (PKT_public_key *pk, PKT_user_id *user_id,
fingerprint_from_pk (pk, fingerprint_bin, &fingerprint_bin_len); fingerprint_from_pk (pk, fingerprint_bin, &fingerprint_bin_len);
assert (fingerprint_bin_len == sizeof (fingerprint_bin)); assert (fingerprint_bin_len == sizeof (fingerprint_bin));
fingerprint = fingerprint_pp (fingerprint_bin); fingerprint = fingerprint_str (fingerprint_bin);
email = email_from_user_id (user_id->name); email = email_from_user_id (user_id->name);