mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-23 10:29:58 +01:00
agent: New option --no-user-trustlist and --sys-trustlist-name.
* agent/gpg-agent.c (oNoUserTrustlist,oSysTrustlistName): New. (opts): Add new option names. (parse_rereadable_options): Parse options. (finalize_rereadable_options): Reset allow-mark-trusted for the new option. * agent/agent.h (opt): Add fields no_user_trustlist and sys_trustlist_name. * agent/trustlist.c (make_sys_trustlist_name): New. (read_one_trustfile): Use here. (read_trustfiles): Use here. Implement --no-user-trustlist. Also repalce "allow_include" by "systrust" and adjust callers. -- With the global options we can now avoid that a user changes the Root-CA trust by editing the trustlist.txt. However, to implement this we need a new option so that we don't need to rely on some magic like --no-allow-mark-trusted has been put into a force section. The second option makes system administration easier as it allows to keep the trustlist in a non-distributed file. GnuPG-bug-id: 5990 Backported-from-master: 1530d04725d475bf29328eab40b42f72ff8aa06b
This commit is contained in:
parent
abe69b2094
commit
d0bd91ba73
@ -148,6 +148,13 @@ struct
|
|||||||
interactively mark certificate in trustlist.txt as trusted. */
|
interactively mark certificate in trustlist.txt as trusted. */
|
||||||
int allow_mark_trusted;
|
int allow_mark_trusted;
|
||||||
|
|
||||||
|
/* Only use the system trustlist. */
|
||||||
|
int no_user_trustlist;
|
||||||
|
|
||||||
|
/* The standard system trustlist is SYSCONFDIR/trustlist.txt. This
|
||||||
|
* option can be used to change the name. */
|
||||||
|
const char *sys_trustlist_name;
|
||||||
|
|
||||||
/* If this global option is true, the Assuan command
|
/* If this global option is true, the Assuan command
|
||||||
PRESET_PASSPHRASE is allowed. */
|
PRESET_PASSPHRASE is allowed. */
|
||||||
int allow_preset_passphrase;
|
int allow_preset_passphrase;
|
||||||
|
@ -128,6 +128,8 @@ enum cmd_and_opt_values
|
|||||||
oIgnoreCacheForSigning,
|
oIgnoreCacheForSigning,
|
||||||
oAllowMarkTrusted,
|
oAllowMarkTrusted,
|
||||||
oNoAllowMarkTrusted,
|
oNoAllowMarkTrusted,
|
||||||
|
oNoUserTrustlist,
|
||||||
|
oSysTrustlistName,
|
||||||
oAllowPresetPassphrase,
|
oAllowPresetPassphrase,
|
||||||
oAllowLoopbackPinentry,
|
oAllowLoopbackPinentry,
|
||||||
oNoAllowLoopbackPinentry,
|
oNoAllowLoopbackPinentry,
|
||||||
@ -249,6 +251,8 @@ static ARGPARSE_OPTS opts[] = {
|
|||||||
ARGPARSE_s_n (oNoAllowMarkTrusted, "no-allow-mark-trusted",
|
ARGPARSE_s_n (oNoAllowMarkTrusted, "no-allow-mark-trusted",
|
||||||
/* */ N_("disallow clients to mark keys as \"trusted\"")),
|
/* */ N_("disallow clients to mark keys as \"trusted\"")),
|
||||||
ARGPARSE_s_n (oAllowMarkTrusted, "allow-mark-trusted", "@"),
|
ARGPARSE_s_n (oAllowMarkTrusted, "allow-mark-trusted", "@"),
|
||||||
|
ARGPARSE_s_n (oNoUserTrustlist, "no-user-trustlist", "@"),
|
||||||
|
ARGPARSE_s_s (oSysTrustlistName, "sys-trustlist-name", "@"),
|
||||||
ARGPARSE_s_n (oAllowPresetPassphrase, "allow-preset-passphrase",
|
ARGPARSE_s_n (oAllowPresetPassphrase, "allow-preset-passphrase",
|
||||||
/* */ N_("allow presetting passphrase")),
|
/* */ N_("allow presetting passphrase")),
|
||||||
ARGPARSE_s_u (oS2KCount, "s2k-count", "@"),
|
ARGPARSE_s_u (oS2KCount, "s2k-count", "@"),
|
||||||
@ -873,6 +877,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
|
|||||||
opt.enable_extended_key_format = 1;
|
opt.enable_extended_key_format = 1;
|
||||||
opt.ignore_cache_for_signing = 0;
|
opt.ignore_cache_for_signing = 0;
|
||||||
opt.allow_mark_trusted = 1;
|
opt.allow_mark_trusted = 1;
|
||||||
|
opt.sys_trustlist_name = NULL;
|
||||||
opt.allow_external_cache = 1;
|
opt.allow_external_cache = 1;
|
||||||
opt.allow_loopback_pinentry = 1;
|
opt.allow_loopback_pinentry = 1;
|
||||||
opt.allow_emacs_pinentry = 0;
|
opt.allow_emacs_pinentry = 0;
|
||||||
@ -963,6 +968,8 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
|
|||||||
|
|
||||||
case oAllowMarkTrusted: opt.allow_mark_trusted = 1; break;
|
case oAllowMarkTrusted: opt.allow_mark_trusted = 1; break;
|
||||||
case oNoAllowMarkTrusted: opt.allow_mark_trusted = 0; break;
|
case oNoAllowMarkTrusted: opt.allow_mark_trusted = 0; break;
|
||||||
|
case oNoUserTrustlist: opt.no_user_trustlist = 1; break;
|
||||||
|
case oSysTrustlistName: opt.sys_trustlist_name = pargs->r.ret_str; break;
|
||||||
|
|
||||||
case oAllowPresetPassphrase: opt.allow_preset_passphrase = 1; break;
|
case oAllowPresetPassphrase: opt.allow_preset_passphrase = 1; break;
|
||||||
|
|
||||||
@ -1008,6 +1015,11 @@ finalize_rereadable_options (void)
|
|||||||
/* Hack to allow --grab to override --no-grab. */
|
/* Hack to allow --grab to override --no-grab. */
|
||||||
if ((opt.no_grab & 2))
|
if ((opt.no_grab & 2))
|
||||||
opt.no_grab = 0;
|
opt.no_grab = 0;
|
||||||
|
|
||||||
|
/* With --no-user-trustlist it does not make sense to allow the mark
|
||||||
|
* trusted feature. */
|
||||||
|
if (opt.no_user_trustlist)
|
||||||
|
opt.allow_mark_trusted = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -128,8 +128,26 @@ clear_trusttable (void)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* Return the name of the system trustlist. Caller must free. */
|
||||||
|
static char *
|
||||||
|
make_sys_trustlist_name (void)
|
||||||
|
{
|
||||||
|
if (opt.sys_trustlist_name
|
||||||
|
&& (strchr (opt.sys_trustlist_name, '/')
|
||||||
|
|| strchr (opt.sys_trustlist_name, '\\')
|
||||||
|
|| (*opt.sys_trustlist_name == '~'
|
||||||
|
&& opt.sys_trustlist_name[1] == '/')))
|
||||||
|
return make_absfilename (opt.sys_trustlist_name, NULL);
|
||||||
|
else
|
||||||
|
return make_filename (gnupg_sysconfdir (),
|
||||||
|
(opt.sys_trustlist_name ?
|
||||||
|
opt.sys_trustlist_name : "trustlist.txt"),
|
||||||
|
NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static gpg_error_t
|
static gpg_error_t
|
||||||
read_one_trustfile (const char *fname, int allow_include,
|
read_one_trustfile (const char *fname, int systrust,
|
||||||
trustitem_t **addr_of_table,
|
trustitem_t **addr_of_table,
|
||||||
size_t *addr_of_tablesize,
|
size_t *addr_of_tablesize,
|
||||||
int *addr_of_tableidx)
|
int *addr_of_tableidx)
|
||||||
@ -188,7 +206,7 @@ read_one_trustfile (const char *fname, int allow_include,
|
|||||||
gpg_error_t err2;
|
gpg_error_t err2;
|
||||||
gpg_err_code_t ec;
|
gpg_err_code_t ec;
|
||||||
|
|
||||||
if (!allow_include)
|
if (systrust)
|
||||||
{
|
{
|
||||||
log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
|
log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
|
||||||
"include-default", fname, lnr);
|
"include-default", fname, lnr);
|
||||||
@ -196,7 +214,7 @@ read_one_trustfile (const char *fname, int allow_include,
|
|||||||
}
|
}
|
||||||
/* fixme: Should check for trailing garbage. */
|
/* fixme: Should check for trailing garbage. */
|
||||||
|
|
||||||
etcname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
|
etcname = make_sys_trustlist_name ();
|
||||||
if ( !strcmp (etcname, fname) ) /* Same file. */
|
if ( !strcmp (etcname, fname) ) /* Same file. */
|
||||||
log_info (_("statement \"%s\" ignored in '%s', line %d\n"),
|
log_info (_("statement \"%s\" ignored in '%s', line %d\n"),
|
||||||
"include-default", fname, lnr);
|
"include-default", fname, lnr);
|
||||||
@ -208,7 +226,7 @@ read_one_trustfile (const char *fname, int allow_include,
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
err2 = read_one_trustfile (etcname, 0,
|
err2 = read_one_trustfile (etcname, 1,
|
||||||
&table, &tablesize, &tableidx);
|
&table, &tablesize, &tableidx);
|
||||||
if (err2)
|
if (err2)
|
||||||
err = err2;
|
err = err2;
|
||||||
@ -337,7 +355,7 @@ read_trustfiles (void)
|
|||||||
int tableidx;
|
int tableidx;
|
||||||
size_t tablesize;
|
size_t tablesize;
|
||||||
char *fname;
|
char *fname;
|
||||||
int allow_include = 1;
|
int systrust = 0;
|
||||||
gpg_err_code_t ec;
|
gpg_err_code_t ec;
|
||||||
|
|
||||||
tablesize = 20;
|
tablesize = 20;
|
||||||
@ -346,6 +364,10 @@ read_trustfiles (void)
|
|||||||
return gpg_error_from_syserror ();
|
return gpg_error_from_syserror ();
|
||||||
tableidx = 0;
|
tableidx = 0;
|
||||||
|
|
||||||
|
if (opt.no_user_trustlist)
|
||||||
|
fname = NULL;
|
||||||
|
else
|
||||||
|
{
|
||||||
fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL);
|
fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL);
|
||||||
if (!fname)
|
if (!fname)
|
||||||
{
|
{
|
||||||
@ -353,10 +375,13 @@ read_trustfiles (void)
|
|||||||
xfree (table);
|
xfree (table);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if ((ec = gnupg_access (fname, F_OK)))
|
if (!fname || (ec = gnupg_access (fname, F_OK)))
|
||||||
{
|
{
|
||||||
if ( ec == GPG_ERR_ENOENT )
|
if (!fname)
|
||||||
|
; /* --no-user-trustlist active. */
|
||||||
|
else if ( ec == GPG_ERR_ENOENT )
|
||||||
; /* Silently ignore a non-existing trustfile. */
|
; /* Silently ignore a non-existing trustfile. */
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@ -364,11 +389,10 @@ read_trustfiles (void)
|
|||||||
log_error (_("error opening '%s': %s\n"), fname, gpg_strerror (err));
|
log_error (_("error opening '%s': %s\n"), fname, gpg_strerror (err));
|
||||||
}
|
}
|
||||||
xfree (fname);
|
xfree (fname);
|
||||||
fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
|
fname = make_sys_trustlist_name ();
|
||||||
allow_include = 0;
|
systrust = 1;
|
||||||
}
|
}
|
||||||
err = read_one_trustfile (fname, allow_include,
|
err = read_one_trustfile (fname, systrust, &table, &tablesize, &tableidx);
|
||||||
&table, &tablesize, &tableidx);
|
|
||||||
xfree (fname);
|
xfree (fname);
|
||||||
|
|
||||||
if (err)
|
if (err)
|
||||||
|
@ -366,6 +366,21 @@ Do not allow clients to mark keys as trusted, i.e. put them into the
|
|||||||
@file{trustlist.txt} file. This makes it harder for users to inadvertently
|
@file{trustlist.txt} file. This makes it harder for users to inadvertently
|
||||||
accept Root-CA keys.
|
accept Root-CA keys.
|
||||||
|
|
||||||
|
|
||||||
|
@anchor{option --no-user-trustlist}
|
||||||
|
@item --no-user-trustlist
|
||||||
|
@opindex no-user-trustlist
|
||||||
|
Entirely ignore the user trust list and consider only the global
|
||||||
|
trustlist (@file{@value{SYSCONFDIR}/trustlist.txt}). This
|
||||||
|
implies the @ref{option --no-allow-mark-trusted}.
|
||||||
|
|
||||||
|
@item --sys-trustlist-name @var{file}
|
||||||
|
@opindex sys-trustlist-name
|
||||||
|
Changes the default name for the global trustlist from "trustlist.txt"
|
||||||
|
to @var{file}. If @var{file} does not contain any slashes and does
|
||||||
|
not start with "~/" it is searched in the system configuration
|
||||||
|
directory (@file{@value{SYSCONFDIR}}).
|
||||||
|
|
||||||
@anchor{option --allow-preset-passphrase}
|
@anchor{option --allow-preset-passphrase}
|
||||||
@item --allow-preset-passphrase
|
@item --allow-preset-passphrase
|
||||||
@opindex allow-preset-passphrase
|
@opindex allow-preset-passphrase
|
||||||
@ -794,7 +809,9 @@ that this file can't be changed inadvertently.
|
|||||||
|
|
||||||
As a special feature a line @code{include-default} will include a global
|
As a special feature a line @code{include-default} will include a global
|
||||||
list of trusted certificates (e.g. @file{@value{SYSCONFDIR}/trustlist.txt}).
|
list of trusted certificates (e.g. @file{@value{SYSCONFDIR}/trustlist.txt}).
|
||||||
This global list is also used if the local list is not available.
|
This global list is also used if the local list is not available;
|
||||||
|
the @ref{option --no-user-trustlist} enforces the use of only
|
||||||
|
this global list.
|
||||||
|
|
||||||
It is possible to add further flags after the @code{S} for use by the
|
It is possible to add further flags after the @code{S} for use by the
|
||||||
caller:
|
caller:
|
||||||
|
Loading…
x
Reference in New Issue
Block a user