mirror of
git://git.gnupg.org/gnupg.git
synced 2025-07-02 22:46:30 +02:00
Finished PKA feature
This commit is contained in:
Werner Koch
parent
64fa7ea37e
commit
f1482aab4e
41 changed files with 26561 additions and 21524 deletions
|
|
@ -1,3 +1,20 @@
|
|||
2005-12-20 Werner Koch <wk@g10code.com>
|
||||
|
||||
* gpg.c: New option --allow-pka-lookup.
|
||||
(parse_trust_model): Add "+pka" variants.
|
||||
(main): Make KEYSERVER_AUTO_PKA_RETRIEVE teh default.
|
||||
* options.h (opt): New fields PKA_TRUST_INCREASE and
|
||||
ALLOW_PKA_LOOKUP.
|
||||
* status.h (STATUS_PKA_TRUST_BAD, STATUS_PKA_TRUST_GOOD): New.
|
||||
* pkclist.c (check_signatures_trust): Increase trust due to valid
|
||||
PKA only if that new option has been set. Issue new status lines.
|
||||
* trustdb.c (init_trustdb): Print info if this option is active.
|
||||
* getkey.c (get_pubkey_byname): Honor allow-pka-lookup.
|
||||
* mainproc.c (pka_uri_from_sig): Ditto.
|
||||
|
||||
* trustdb.c (validate_keys): Print no "ultimately trusted keys
|
||||
found" only in non-quiet mode.
|
||||
|
||||
2005-12-19 David Shaw <dshaw@jabberwocky.com>
|
||||
|
||||
* getkey.c (merge_selfsigs_main): All primary keys can certify.
|
||||
|
|
@ -23,6 +40,9 @@
|
|||
|
||||
2005-12-08 Werner Koch <wk@g10code.com>
|
||||
|
||||
* gpg.c (main): Check for DBCS lead byte when converting the
|
||||
homedir. By Kazuyoshi Kakihara. Fixes PR561.
|
||||
|
||||
* keyserver.c (keyserver_fetch): Made strings translatable.
|
||||
|
||||
2005-12-08 David Shaw <dshaw@jabberwocky.com>
|
||||
|
|
|
|||
|
|
@ -914,6 +914,7 @@ get_pubkey_byname (PKT_public_key *pk,
|
|||
include_unusable, ret_keyblock, ret_kdbhd);
|
||||
if (rc == G10ERR_NO_PUBKEY
|
||||
&& !again
|
||||
&& opt.allow_pka_lookup
|
||||
&& (opt.keyserver_options.options&KEYSERVER_AUTO_PKA_RETRIEVE)
|
||||
&& is_valid_mailbox (name))
|
||||
{
|
||||
|
|
|
|||
55
g10/gpg.c
55
g10/gpg.c
|
|
@ -35,6 +35,9 @@
|
|||
#include <sys/stat.h> /* for stat() */
|
||||
#endif
|
||||
#include <fcntl.h>
|
||||
#ifdef HAVE_W32_SYSTEM
|
||||
#include <windows.h>
|
||||
#endif
|
||||
|
||||
#define INCLUDED_BY_MAIN_MODULE 1
|
||||
#include "packet.h"
|
||||
|
|
@ -240,6 +243,7 @@ enum cmd_and_opt_values
|
|||
oAlwaysTrust,
|
||||
oTrustModel,
|
||||
oForceOwnertrust,
|
||||
oAllowPkaLookup,
|
||||
oRunAsShmCP,
|
||||
oSetFilename,
|
||||
oForYourEyesOnly,
|
||||
|
|
@ -596,6 +600,7 @@ static ARGPARSE_OPTS opts[] = {
|
|||
{ oAlwaysTrust, "always-trust", 0, "@"},
|
||||
{ oTrustModel, "trust-model", 2, "@"},
|
||||
{ oForceOwnertrust, "force-ownertrust", 2, "@"},
|
||||
{ oAllowPkaLookup, "allow-pka-lookup", 0, "@" },
|
||||
{ oRunAsShmCP, "run-as-shm-coprocess", 4, "@" },
|
||||
{ oSetFilename, "set-filename", 2, "@" },
|
||||
{ oForYourEyesOnly, "for-your-eyes-only", 0, "@" },
|
||||
|
|
@ -1442,6 +1447,7 @@ gpgconf_list (const char *configfile)
|
|||
printf ("quiet:%lu:\n", GC_OPT_FLAG_NONE);
|
||||
printf ("keyserver:%lu:\n", GC_OPT_FLAG_NONE);
|
||||
printf ("reader-port:%lu:\n", GC_OPT_FLAG_NONE);
|
||||
printf ("allow-pka-lookup:%lu:\n", GC_OPT_FLAG_NONE);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1597,20 +1603,47 @@ collapse_args(int argc,char *argv[])
|
|||
static void
|
||||
parse_trust_model(const char *model)
|
||||
{
|
||||
opt.pka_trust_increase = 0;
|
||||
if(ascii_strcasecmp(model,"pgp")==0)
|
||||
opt.trust_model=TM_PGP;
|
||||
{
|
||||
opt.trust_model=TM_PGP;
|
||||
}
|
||||
else if(ascii_strcasecmp(model,"pgp+pka")==0)
|
||||
{
|
||||
opt.trust_model=TM_PGP;
|
||||
opt.pka_trust_increase = 1;
|
||||
}
|
||||
else if(ascii_strcasecmp(model,"classic")==0)
|
||||
opt.trust_model=TM_CLASSIC;
|
||||
{
|
||||
opt.trust_model=TM_CLASSIC;
|
||||
}
|
||||
else if(ascii_strcasecmp(model,"always")==0)
|
||||
opt.trust_model=TM_ALWAYS;
|
||||
{
|
||||
opt.trust_model=TM_ALWAYS;
|
||||
}
|
||||
else if(ascii_strcasecmp(model,"direct")==0)
|
||||
opt.trust_model=TM_DIRECT;
|
||||
{
|
||||
opt.trust_model=TM_DIRECT;
|
||||
}
|
||||
else if(ascii_strcasecmp(model,"direct+pka")==0)
|
||||
{
|
||||
opt.trust_model=TM_DIRECT;
|
||||
opt.pka_trust_increase = 1;
|
||||
}
|
||||
else if(ascii_strcasecmp(model,"auto")==0)
|
||||
opt.trust_model=TM_AUTO;
|
||||
{
|
||||
opt.trust_model=TM_AUTO;
|
||||
}
|
||||
else if(ascii_strcasecmp(model,"auto+pka")==0)
|
||||
{
|
||||
opt.trust_model=TM_AUTO;
|
||||
opt.pka_trust_increase = 1;
|
||||
}
|
||||
else
|
||||
log_error("unknown trust model `%s'\n",model);
|
||||
}
|
||||
|
||||
|
||||
int
|
||||
main (int argc, char **argv )
|
||||
{
|
||||
|
|
@ -1698,10 +1731,11 @@ main (int argc, char **argv )
|
|||
opt.keyserver_options.import_options=IMPORT_REPAIR_PKS_SUBKEY_BUG;
|
||||
opt.keyserver_options.export_options=EXPORT_ATTRIBUTES;
|
||||
opt.keyserver_options.options=
|
||||
KEYSERVER_INCLUDE_SUBKEYS|KEYSERVER_INCLUDE_REVOKED|KEYSERVER_TRY_DNS_SRV|KEYSERVER_HONOR_KEYSERVER_URL;
|
||||
KEYSERVER_INCLUDE_SUBKEYS|KEYSERVER_INCLUDE_REVOKED|KEYSERVER_TRY_DNS_SRV|KEYSERVER_HONOR_KEYSERVER_URL|KEYSERVER_AUTO_PKA_RETRIEVE;
|
||||
opt.verify_options=
|
||||
VERIFY_SHOW_POLICY_URLS|VERIFY_SHOW_STD_NOTATIONS|VERIFY_SHOW_KEYSERVER_URLS;
|
||||
opt.trust_model=TM_AUTO;
|
||||
opt.pka_trust_increase=0;
|
||||
opt.mangle_dos_filenames=0;
|
||||
opt.min_cert_level=2;
|
||||
set_screen_dimensions();
|
||||
|
|
@ -1772,7 +1806,13 @@ main (int argc, char **argv )
|
|||
char *d, *buf = xmalloc (strlen (opt.homedir)+1);
|
||||
const char *s = opt.homedir;
|
||||
for (d=buf,s=opt.homedir; *s; s++)
|
||||
{
|
||||
*d++ = *s == '\\'? '/': *s;
|
||||
#ifdef HAVE_W32_SYSTEM
|
||||
if (s[1] && IsDBCSLeadByte (*s))
|
||||
*d++ = *++s;
|
||||
#endif
|
||||
}
|
||||
*d = 0;
|
||||
set_homedir (buf);
|
||||
}
|
||||
|
|
@ -2108,6 +2148,9 @@ main (int argc, char **argv )
|
|||
opt.force_ownertrust=0;
|
||||
}
|
||||
break;
|
||||
case oAllowPkaLookup:
|
||||
opt.allow_pka_lookup = 1;
|
||||
break;
|
||||
case oLoadExtension:
|
||||
#ifndef __riscos__
|
||||
#if defined(USE_DYNAMIC_LINKING) || defined(_WIN32)
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@ static struct parse_options keyserver_opts[]=
|
|||
{"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL,
|
||||
N_("automatically retrieve keys when verifying signatures")},
|
||||
{"auto-pka-retrieve",KEYSERVER_AUTO_PKA_RETRIEVE,NULL,
|
||||
NULL},
|
||||
N_("automatically retrieve keys from DNS")},
|
||||
{"try-dns-srv",KEYSERVER_TRY_DNS_SRV,NULL,
|
||||
NULL},
|
||||
{"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL,
|
||||
|
|
|
|||
|
|
@ -1372,7 +1372,7 @@ pka_uri_from_sig (PKT_signature *sig)
|
|||
assert (!sig->pka_info);
|
||||
sig->flags.pka_tried = 1;
|
||||
sig->pka_info = get_pka_address (sig);
|
||||
if (sig->pka_info)
|
||||
if (sig->pka_info && opt.allow_pka_lookup)
|
||||
{
|
||||
char *uri;
|
||||
|
||||
|
|
|
|||
|
|
@ -103,6 +103,8 @@ struct
|
|||
TM_CLASSIC=0, TM_PGP=1, TM_EXTERNAL=2, TM_ALWAYS, TM_DIRECT, TM_AUTO
|
||||
} trust_model;
|
||||
int force_ownertrust;
|
||||
int pka_trust_increase; /* Valid PKA information increases the trust. */
|
||||
int allow_pka_lookup; /* PKA lookups are only done if this is set. */
|
||||
enum
|
||||
{
|
||||
CO_GNUPG=0, CO_RFC2440, CO_RFC1991, CO_PGP2, CO_PGP6, CO_PGP7, CO_PGP8
|
||||
|
|
|
|||
|
|
@ -549,12 +549,14 @@ check_signatures_trust( PKT_signature *sig )
|
|||
if ( fprlen == 20 && !memcmp (sig->pka_info->fpr, fpr, 20) )
|
||||
{
|
||||
okay = 1;
|
||||
write_status_text (STATUS_PKA_TRUST_GOOD, sig->pka_info->email);
|
||||
log_info (_("Note: Verified signer's address is `%s'\n"),
|
||||
sig->pka_info->email);
|
||||
}
|
||||
else
|
||||
{
|
||||
okay = 0;
|
||||
write_status_text (STATUS_PKA_TRUST_BAD, sig->pka_info->email);
|
||||
log_info (_("Note: Signer's address `%s' "
|
||||
"does not match DNS entry\n"), sig->pka_info->email);
|
||||
}
|
||||
|
|
@ -564,17 +566,19 @@ check_signatures_trust( PKT_signature *sig )
|
|||
case TRUST_UNKNOWN:
|
||||
case TRUST_UNDEFINED:
|
||||
case TRUST_MARGINAL:
|
||||
if (okay)
|
||||
if (okay && opt.pka_trust_increase)
|
||||
{
|
||||
trustlevel = ((trustlevel & ~TRUST_MASK) | TRUST_FULLY);
|
||||
log_info ("trustlevel adjusted to FULL due to valid PKA info\n");
|
||||
log_info (_("trustlevel adjusted to FULL"
|
||||
" due to valid PKA info\n"));
|
||||
}
|
||||
/* (fall through) */
|
||||
case TRUST_FULLY:
|
||||
if (!okay)
|
||||
{
|
||||
trustlevel = ((trustlevel & ~TRUST_MASK) | TRUST_NEVER);
|
||||
log_info ("trustlevel adjusted to NEVER due to bad PKA info\n");
|
||||
log_info (_("trustlevel adjusted to NEVER"
|
||||
" due to bad PKA info\n"));
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -163,6 +163,8 @@ get_status_string ( int no )
|
|||
case STATUS_SC_OP_SUCCESS : s = "SC_OP_SUCCESS"; break;
|
||||
case STATUS_SC_OP_FAILURE : s = "SC_OP_FAILURE"; break;
|
||||
case STATUS_BACKUP_KEY_CREATED:s="BACKUP_KEY_CREATED"; break;
|
||||
case STATUS_PKA_TRUST_BAD : s = "PKA_TRUST_BAD"; break;
|
||||
case STATUS_PKA_TRUST_GOOD : s = "PKA_TRUST_GOOD"; break;
|
||||
default: s = "?"; break;
|
||||
}
|
||||
return s;
|
||||
|
|
|
|||
|
|
@ -115,6 +115,9 @@
|
|||
|
||||
#define STATUS_BACKUP_KEY_CREATED 81
|
||||
|
||||
#define STATUS_PKA_TRUST_BAD 82
|
||||
#define STATUS_PKA_TRUST_GOOD 83
|
||||
|
||||
|
||||
/*-- status.c --*/
|
||||
void set_status_fd ( int fd );
|
||||
|
|
|
|||
|
|
@ -450,7 +450,12 @@ init_trustdb()
|
|||
}
|
||||
|
||||
if(opt.verbose)
|
||||
log_info(_("using %s trust model\n"),trust_model_string());
|
||||
{
|
||||
log_info(_("using %s trust model\n"),trust_model_string());
|
||||
if (opt.pka_trust_increase)
|
||||
log_info(_("PKA verification is allowed to"
|
||||
" leverage trust to full\n"));
|
||||
}
|
||||
}
|
||||
|
||||
if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
|
||||
|
|
@ -2156,7 +2161,8 @@ validate_keys (int interactive)
|
|||
* here when needed */
|
||||
if (!utk_list)
|
||||
{
|
||||
log_info (_("no ultimately trusted keys found\n"));
|
||||
if (!opt.quiet)
|
||||
log_info (_("no ultimately trusted keys found\n"));
|
||||
goto leave;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue