mirror of
git://git.gnupg.org/gnupg.git
synced 2024-11-10 21:38:50 +01:00
253afa2444
* g10/tofu.c (get_trust): Fix formatting. -- Signed-off-by: Neal H. Walfield <neal@g10code.com>
2486 lines
68 KiB
C
2486 lines
68 KiB
C
/* tofu.c - TOFU trust model.
|
|
* Copyright (C) 2015 g10 Code GmbH
|
|
*
|
|
* This file is part of GnuPG.
|
|
*
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
/* TODO:
|
|
|
|
- Format the fingerprints nicely when printing (similar to gpg
|
|
--list-keys)
|
|
*/
|
|
|
|
#include <config.h>
|
|
#include <stdio.h>
|
|
#include <sys/stat.h>
|
|
#include <assert.h>
|
|
#include <sqlite3.h>
|
|
|
|
#include "gpg.h"
|
|
#include "types.h"
|
|
#include "logging.h"
|
|
#include "stringhelp.h"
|
|
#include "options.h"
|
|
#include "mbox-util.h"
|
|
#include "i18n.h"
|
|
#include "trustdb.h"
|
|
#include "mkdir_p.h"
|
|
|
|
#include "tofu.h"
|
|
|
|
/* The TOFU data can be saved in two different formats: either in a
|
|
single combined database (opt.tofu_db_format == TOFU_DB_FLAT) or in
|
|
a split file format (opt.tofu_db_format == TOFU_DB_SPLIT). In the
|
|
split format, there is one database per normalized email address
|
|
(DB_EMAIL) and one per key (DB_KEY). */
|
|
enum db_type
|
|
{
|
|
DB_COMBINED,
|
|
DB_EMAIL,
|
|
DB_KEY
|
|
};
|
|
|
|
/* A list of open DBs.
|
|
|
|
In the flat format, this consists of a single element with the type
|
|
DB_COMBINED and whose name is the empty string.
|
|
|
|
In the split format, the first element is a dummy element (DB is
|
|
NULL) whose type is DB_COMBINED and whose name is the empty string.
|
|
Any following elements describe either DB_EMAIL or DB_KEY DBs. In
|
|
theis case, NAME is either the normalized email address or the
|
|
fingerprint.
|
|
|
|
To initialize this data structure, call opendbs(). When you are
|
|
done, clean it up using closedbs(). To get a handle to a database,
|
|
use the getdb() function. This will either return an existing
|
|
handle or open a new DB connection, as appropriate. */
|
|
struct db
|
|
{
|
|
struct db *next;
|
|
|
|
enum db_type type;
|
|
|
|
sqlite3 *db;
|
|
|
|
/* If TYPE is DB_COMBINED, this is "". Otherwise, it is either the
|
|
fingerprint (type == DB_KEY) or the normalized email address
|
|
(type == DB_EMAIL). */
|
|
char name[1];
|
|
};
|
|
|
|
/* The grouping parameters when collecting signature statistics. */
|
|
|
|
/* If a message is signed a couple of hours in the future, just assume
|
|
some clock skew. */
|
|
#define TIME_AGO_FUTURE_IGNORE (2 * 60 * 60)
|
|
#if 0
|
|
# define TIME_AGO_UNIT_SMALL 60
|
|
# define TIME_AGO_UNIT_SMALL_NAME _("minute")
|
|
# define TIME_AGO_UNIT_SMALL_NAME_PLURAL _("minutes")
|
|
# define TIME_AGO_MEDIUM_THRESHOLD (60 * TIME_AGO_UNIT_SMALL)
|
|
# define TIME_AGO_UNIT_MEDIUM (60 * 60)
|
|
# define TIME_AGO_UNIT_MEDIUM_NAME _("hour")
|
|
# define TIME_AGO_UNIT_MEDIUM_NAME_PLURAL _("hours")
|
|
# define TIME_AGO_LARGE_THRESHOLD (24 * 60 * TIME_AGO_UNIT_SMALL)
|
|
# define TIME_AGO_UNIT_LARGE (24 * 60 * 60)
|
|
# define TIME_AGO_UNIT_LARGE_NAME _("day")
|
|
# define TIME_AGO_UNIT_LARGE_NAME_PLURAL _("days")
|
|
#else
|
|
# define TIME_AGO_UNIT_SMALL (24 * 60 * 60)
|
|
# define TIME_AGO_UNIT_SMALL_NAME _("day")
|
|
# define TIME_AGO_UNIT_SMALL_NAME_PLURAL _("days")
|
|
# define TIME_AGO_MEDIUM_THRESHOLD (4 * TIME_AGO_UNIT_SMALL)
|
|
# define TIME_AGO_UNIT_MEDIUM (7 * 24 * 60 * 60)
|
|
# define TIME_AGO_UNIT_MEDIUM_NAME _("week")
|
|
# define TIME_AGO_UNIT_MEDIUM_NAME_PLURAL _("weeks")
|
|
# define TIME_AGO_LARGE_THRESHOLD (28 * TIME_AGO_UNIT_SMALL)
|
|
# define TIME_AGO_UNIT_LARGE (30 * 24 * 60 * 60)
|
|
# define TIME_AGO_UNIT_LARGE_NAME _("month")
|
|
# define TIME_AGO_UNIT_LARGE_NAME_PLURAL _("months")
|
|
#endif
|
|
|
|
|
|
|
|
const char *
|
|
tofu_policy_str (enum tofu_policy policy)
|
|
{
|
|
switch (policy)
|
|
{
|
|
case TOFU_POLICY_NONE: return "none";
|
|
case TOFU_POLICY_AUTO: return "auto";
|
|
case TOFU_POLICY_GOOD: return "good";
|
|
case TOFU_POLICY_UNKNOWN: return "unknown";
|
|
case TOFU_POLICY_BAD: return "bad";
|
|
case TOFU_POLICY_ASK: return "ask";
|
|
default: return "???";
|
|
}
|
|
}
|
|
|
|
/* Convert a binding policy (e.g., TOFU_POLICY_BAD) to a trust level
|
|
(e.g., TRUST_BAD) in light of the current configuration. */
|
|
int
|
|
tofu_policy_to_trust_level (enum tofu_policy policy)
|
|
{
|
|
if (policy == TOFU_POLICY_AUTO)
|
|
/* If POLICY is AUTO, fallback to OPT.TOFU_DEFAULT_POLICY. */
|
|
policy = opt.tofu_default_policy;
|
|
|
|
switch (policy)
|
|
{
|
|
case TOFU_POLICY_AUTO:
|
|
/* If POLICY and OPT.TOFU_DEFAULT_POLICY are both AUTO, default
|
|
to marginal trust. */
|
|
return TRUST_MARGINAL;
|
|
case TOFU_POLICY_GOOD:
|
|
return TRUST_FULLY;
|
|
case TOFU_POLICY_UNKNOWN:
|
|
return TRUST_UNKNOWN;
|
|
case TOFU_POLICY_BAD:
|
|
return TRUST_NEVER;
|
|
case TOFU_POLICY_ASK:
|
|
return TRUST_UNKNOWN;
|
|
default:
|
|
log_bug ("Bad value for trust policy: %d\n",
|
|
opt.tofu_default_policy);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
/* This is a convenience function that combines sqlite3_mprintf and
|
|
sqlite3_exec. */
|
|
static int
|
|
sqlite3_exec_printf (sqlite3 *db,
|
|
int (*callback)(void*,int,char**,char**), void *cookie,
|
|
char **errmsg,
|
|
const char *sql, ...)
|
|
{
|
|
va_list ap;
|
|
int rc;
|
|
char *sql2;
|
|
|
|
va_start (ap, sql);
|
|
sql2 = sqlite3_vmprintf (sql, ap);
|
|
va_end (ap);
|
|
|
|
#if 0
|
|
log_debug ("tofo db: executing: '%s'\n", sql2);
|
|
#endif
|
|
|
|
rc = sqlite3_exec (db, sql2, callback, cookie, errmsg);
|
|
|
|
sqlite3_free (sql2);
|
|
|
|
return rc;
|
|
}
|
|
|
|
|
|
/* Collect results of a select count (*) ...; style query. Aborts if
|
|
the argument is not a valid integer (or real of the form X.0). */
|
|
static int
|
|
get_single_unsigned_long_cb (void *cookie, int argc, char **argv,
|
|
char **azColName)
|
|
{
|
|
unsigned long int *count = cookie;
|
|
char *tail = NULL;
|
|
|
|
(void) azColName;
|
|
|
|
assert (argc == 1);
|
|
|
|
errno = 0;
|
|
*count = strtoul (argv[0], &tail, 0);
|
|
if (errno || ! (strcmp (tail, ".0") == 0 || *tail == '\0'))
|
|
/* Abort. */
|
|
return 1;
|
|
return 0;
|
|
}
|
|
|
|
/* We expect a single integer column whose name is "version". COOKIE
|
|
must point to an int. This function always aborts. On error or a
|
|
if the version is bad, sets *VERSION to -1. */
|
|
static int
|
|
version_check_cb (void *cookie, int argc, char **argv, char **azColName)
|
|
{
|
|
int *version = cookie;
|
|
|
|
if (argc != 1 || strcmp (azColName[0], "version") != 0)
|
|
{
|
|
*version = -1;
|
|
return 1;
|
|
}
|
|
|
|
if (strcmp (argv[0], "1") == 0)
|
|
*version = 1;
|
|
else
|
|
{
|
|
log_error (_("unsupported TOFU DB version: %s\n"), argv[0]);
|
|
*version = -1;
|
|
}
|
|
|
|
/* Don't run again. */
|
|
return 1;
|
|
}
|
|
|
|
|
|
/* If the DB is new, initialize it. Otherwise, check the DB's
|
|
version.
|
|
|
|
Return 0 if the database is okay and 1 otherwise. */
|
|
static int
|
|
initdb (sqlite3 *db, enum db_type type)
|
|
{
|
|
char *err = NULL;
|
|
int rc;
|
|
unsigned long int count;
|
|
int version = -1;
|
|
|
|
/* If the DB has no tables, then assume this is a new DB that needs
|
|
to be initialized. */
|
|
rc = sqlite3_exec (db,
|
|
"select count(*) from sqlite_master where type='table';",
|
|
get_single_unsigned_long_cb, &count, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error querying TOFU DB's available tables: %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
return 1;
|
|
}
|
|
else if (count != 0)
|
|
/* Assume that the DB is already initialized. Make sure the
|
|
version is okay. */
|
|
{
|
|
rc = sqlite3_exec (db, "select version from version;", version_check_cb,
|
|
&version, &err);
|
|
if (rc == SQLITE_ABORT && version == 1)
|
|
/* Happy, happy, joy, joy. */
|
|
{
|
|
sqlite3_free (err);
|
|
return 0;
|
|
}
|
|
else if (rc == SQLITE_ABORT && version == -1)
|
|
/* Unsupported version. */
|
|
{
|
|
/* An error message was already displayed. */
|
|
sqlite3_free (err);
|
|
return 1;
|
|
}
|
|
else if (rc)
|
|
/* Some error. */
|
|
{
|
|
log_error (_("error determining TOFU DB's version: %s\n"), err);
|
|
sqlite3_free (err);
|
|
return 1;
|
|
}
|
|
else
|
|
/* Unexpected success. This can only happen if there are no
|
|
rows. */
|
|
{
|
|
log_error (_("error determining TOFU DB's version: %s\n"),
|
|
"select returned 0, but expected ABORT");
|
|
return 1;
|
|
}
|
|
}
|
|
|
|
rc = sqlite3_exec (db, "begin transaction;", NULL, NULL, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error beginning transaction on TOFU database: %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
return 1;
|
|
}
|
|
|
|
/* Create the version table. */
|
|
rc = sqlite3_exec (db,
|
|
"create table version (version INTEGER);",
|
|
NULL, NULL, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error initializing TOFU database (%s): %s\n"),
|
|
"version", err);
|
|
sqlite3_free (err);
|
|
goto out;
|
|
}
|
|
|
|
/* Initialize the version table, which contains a single integer
|
|
value. */
|
|
rc = sqlite3_exec (db,
|
|
"insert into version values (1);",
|
|
NULL, NULL, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error initializing TOFU database (%s): %s\n"),
|
|
"version, init", err);
|
|
sqlite3_free (err);
|
|
goto out;
|
|
}
|
|
|
|
/* The list of <fingerprint, email> bindings and auxiliary data.
|
|
|
|
OID is a unique ID identifying this binding (and used by the
|
|
signatures table, see below). Note: OIDs will never be
|
|
reused.
|
|
|
|
FINGERPRINT: The key's fingerprint.
|
|
|
|
EMAIL: The normalized email address.
|
|
|
|
USER_ID: The unmodified user id from which EMAIL was extracted.
|
|
|
|
TIME: The time this binding was first observed.
|
|
|
|
POLICY: The trust policy (-1, 0, 1, or 2; see the
|
|
documentation for TOFU_POLICY_BAD, etc. above).
|
|
|
|
CONFLICT is either NULL or a fingerprint. Assume that we have
|
|
a binding <0xdeadbeef, foo@example.com> and then we observe
|
|
<0xbaddecaf, foo@example.com>. There two bindings conflict
|
|
(they have the same email address). When we observe the
|
|
latter binding, we warn the user about the conflict and ask
|
|
for a policy decision about the new binding. We also change
|
|
the old binding's policy to ask if it was auto. So that we
|
|
know why this occured, we also set conflict to 0xbaddecaf.
|
|
*/
|
|
if (type == DB_EMAIL || type == DB_COMBINED)
|
|
rc = sqlite3_exec_printf
|
|
(db, NULL, NULL, &err,
|
|
"create table bindings\n"
|
|
" (oid INTEGER PRIMARY KEY AUTOINCREMENT,\n"
|
|
" fingerprint TEXT, email TEXT, user_id TEXT, time INTEGER,\n"
|
|
" policy BOOLEAN CHECK (policy in (%d, %d, %d, %d, %d)),\n"
|
|
" conflict STRING,\n"
|
|
" unique (fingerprint, email));\n"
|
|
"create index bindings_fingerprint_email\n"
|
|
" on bindings (fingerprint, email);\n"
|
|
"create index bindings_email on bindings (email);\n",
|
|
TOFU_POLICY_AUTO, TOFU_POLICY_GOOD, TOFU_POLICY_UNKNOWN,
|
|
TOFU_POLICY_BAD, TOFU_POLICY_ASK);
|
|
else
|
|
/* In the split DB case, the fingerprint DB only contains a subset
|
|
of the fields. This reduces the amount of duplicated data.
|
|
|
|
Note: since the data is split on the email address, there is no
|
|
need to index the email column. */
|
|
rc = sqlite3_exec_printf
|
|
(db, NULL, NULL, &err,
|
|
"create table bindings\n"
|
|
" (oid INTEGER PRIMARY KEY AUTOINCREMENT,\n"
|
|
" fingerprint TEXT, email TEXT, user_id,\n"
|
|
" unique (fingerprint, email));\n"
|
|
"create index bindings_fingerprint\n"
|
|
" on bindings (fingerprint);\n");
|
|
if (rc)
|
|
{
|
|
log_error (_("error initializing TOFU database (%s): %s\n"),
|
|
"bindings", err);
|
|
sqlite3_free (err);
|
|
goto out;
|
|
}
|
|
|
|
if (type != DB_KEY)
|
|
{
|
|
/* The signatures that we have observed.
|
|
|
|
BINDING refers to a record in the bindings table, which
|
|
describes the binding (i.e., this is a foreign key that
|
|
references bindings.oid).
|
|
|
|
SIG_DIGEST is the digest stored in the signature.
|
|
|
|
SIG_TIME is the timestamp stored in the signature.
|
|
|
|
ORIGIN is a free-form string that describes who fed this
|
|
signature to GnuPG (e.g., email:claws).
|
|
|
|
TIME is the time this signature was registered. */
|
|
rc = sqlite3_exec (db,
|
|
"create table signatures "
|
|
" (binding INTEGER NOT NULL, sig_digest TEXT,"
|
|
" origin TEXT, sig_time INTEGER, time INTEGER,"
|
|
" primary key (binding, sig_digest, origin));",
|
|
NULL, NULL, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error initializing TOFU database (%s): %s\n"),
|
|
"signatures", err);
|
|
sqlite3_free (err);
|
|
goto out;
|
|
}
|
|
}
|
|
|
|
out:
|
|
if (rc)
|
|
{
|
|
rc = sqlite3_exec (db, "rollback;", NULL, NULL, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error aborting transaction on TOFU DB: %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
}
|
|
return 1;
|
|
}
|
|
else
|
|
{
|
|
rc = sqlite3_exec (db, "commit transaction;", NULL, NULL, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error committing transaction on TOFU DB: %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
static sqlite3 *combined_db;
|
|
|
|
/* Open and initialize a low-level TOFU database. Returns NULL on
|
|
failure. This function should not normally be directly called to
|
|
get a database handle. Instead, use getdb(). */
|
|
static sqlite3 *
|
|
opendb (char *filename, enum db_type type)
|
|
{
|
|
sqlite3 *db;
|
|
int filename_free = 0;
|
|
int rc;
|
|
|
|
if (opt.tofu_db_format == TOFU_DB_FLAT)
|
|
{
|
|
assert (! filename);
|
|
assert (type == DB_COMBINED);
|
|
|
|
if (combined_db)
|
|
return combined_db;
|
|
|
|
filename = make_filename (opt.homedir, "tofu.db", NULL);
|
|
filename_free = 1;
|
|
}
|
|
else
|
|
assert (type == DB_EMAIL || type == DB_KEY);
|
|
|
|
assert (filename);
|
|
|
|
rc = sqlite3_open (filename, &db);
|
|
if (rc)
|
|
{
|
|
log_error (_("can't open TOFU DB ('%s'): %s\n"),
|
|
filename, sqlite3_errmsg (db));
|
|
/* Even if an error occurs, DB is guaranteed to be valid. */
|
|
sqlite3_close (db);
|
|
db = NULL;
|
|
}
|
|
|
|
if (filename_free)
|
|
xfree (filename);
|
|
|
|
if (db && initdb (db, type))
|
|
{
|
|
sqlite3_close (db);
|
|
db = NULL;
|
|
}
|
|
|
|
if (opt.tofu_db_format == TOFU_DB_FLAT)
|
|
combined_db = db;
|
|
|
|
return db;
|
|
}
|
|
|
|
/* Return a database handle. <type, name> describes the required
|
|
database. If there is a cached handle in DBS, that handle is
|
|
returned. Otherwise, the database is opened and cached in DBS.
|
|
|
|
NAME is the name of the DB and may not be NULL.
|
|
|
|
TYPE must be either DB_MAIL or DB_KEY. In the combined format, the
|
|
combined DB is always returned. */
|
|
static sqlite3 *
|
|
getdb (struct db *dbs, const char *name, enum db_type type)
|
|
{
|
|
struct db *t = NULL;
|
|
sqlite3 *sqlitedb = NULL;
|
|
char *name_sanitized = NULL;
|
|
char *filename = NULL;
|
|
int i;
|
|
|
|
assert (name);
|
|
assert (type == DB_EMAIL || type == DB_KEY);
|
|
|
|
assert (dbs);
|
|
/* The first entry is always for the combined DB. */
|
|
assert (dbs->type == DB_COMBINED);
|
|
assert (! dbs->name[0]);
|
|
|
|
if (opt.tofu_db_format == TOFU_DB_FLAT)
|
|
/* When using the flat format, we only have a single combined
|
|
DB. */
|
|
{
|
|
assert (dbs->db);
|
|
assert (! dbs->next);
|
|
return dbs->db;
|
|
}
|
|
else
|
|
/* When using the split format the first entry on the DB list is a
|
|
dummy entry. */
|
|
assert (! dbs->db);
|
|
|
|
/* We have the split format. */
|
|
|
|
/* Only allow alpha-numeric characters in the filename. */
|
|
name_sanitized = xstrdup (name);
|
|
for (i = 0; name[i]; i ++)
|
|
{
|
|
char c = name_sanitized[i];
|
|
if (! (('a' <= c && c <= 'z')
|
|
|| ('A' <= c && c <= 'Z')
|
|
|| ('0' <= c && c <= '9')))
|
|
name_sanitized[i] = '_';
|
|
}
|
|
|
|
/* See if the DB is cached. */
|
|
for (t = dbs->next; t; t = t->next)
|
|
if (type == t->type && strcmp (t->name, name_sanitized) == 0)
|
|
goto out;
|
|
|
|
/* Open the DB. The filename has the form:
|
|
|
|
tofu.d/TYPE/PREFIX/NAME.db
|
|
|
|
We use a short prefix to try to avoid having many files in a
|
|
single directory. */
|
|
{
|
|
char *type_str = type == DB_EMAIL ? "email" : "key";
|
|
char prefix[3] = { name_sanitized[0], name_sanitized[1], 0 };
|
|
char *name_db;
|
|
|
|
/* Make the directory. */
|
|
if (gnupg_mkdir_p (opt.homedir, "tofu.d", type_str, prefix, NULL) != 0)
|
|
{
|
|
log_error (_("unable to create directory %s/%s/%s/%s"),
|
|
opt.homedir, "tofu.d", type_str, prefix);
|
|
g10_exit (1);
|
|
}
|
|
|
|
name_db = xstrconcat (name_sanitized, ".db", NULL);
|
|
filename = make_filename
|
|
(opt.homedir, "tofu.d", type_str, prefix, name_db, NULL);
|
|
xfree (name_db);
|
|
}
|
|
|
|
sqlitedb = opendb (filename, type);
|
|
if (! sqlitedb)
|
|
goto out;
|
|
|
|
t = xmalloc (sizeof (struct db) + strlen (name_sanitized));
|
|
t->type = type;
|
|
t->db = sqlitedb;
|
|
strcpy (t->name, name_sanitized);
|
|
|
|
/* Insert it immediately after the first element. */
|
|
t->next = dbs->next;
|
|
dbs->next = t;
|
|
|
|
out:
|
|
xfree (filename);
|
|
xfree (name_sanitized);
|
|
|
|
if (! t)
|
|
return NULL;
|
|
return t->db;
|
|
}
|
|
|
|
|
|
/* Create a new DB meta-handle. Returns NULL on error. */
|
|
static struct db *
|
|
opendbs (void)
|
|
{
|
|
sqlite3 *db = NULL;
|
|
struct db *dbs;
|
|
|
|
if (opt.tofu_db_format == TOFU_DB_AUTO)
|
|
{
|
|
char *filename = make_filename (opt.homedir, "tofu.db", NULL);
|
|
struct stat s;
|
|
int have_tofu_db = 0;
|
|
int have_tofu_d = 0;
|
|
|
|
if (stat (filename, &s) == 0)
|
|
{
|
|
have_tofu_db = 1;
|
|
if (DBG_TRUST)
|
|
log_debug ("%s exists.\n", filename);
|
|
}
|
|
else
|
|
{
|
|
if (DBG_TRUST)
|
|
log_debug ("%s does not exist.\n", filename);
|
|
}
|
|
|
|
/* We now have tofu.d. */
|
|
filename[strlen (filename) - 1] = '\0';
|
|
if (stat (filename, &s) == 0)
|
|
{
|
|
have_tofu_d = 1;
|
|
if (DBG_TRUST)
|
|
log_debug ("%s exists.\n", filename);
|
|
}
|
|
else
|
|
{
|
|
if (DBG_TRUST)
|
|
log_debug ("%s does not exist.\n", filename);
|
|
}
|
|
|
|
xfree (filename);
|
|
|
|
if (have_tofu_db && have_tofu_d)
|
|
{
|
|
log_info (_("Warning: Home directory contains both tofu.db and tofu.d. Using split format for TOFU DB.\n"));
|
|
opt.tofu_db_format = TOFU_DB_SPLIT;
|
|
}
|
|
else if (have_tofu_db)
|
|
{
|
|
opt.tofu_db_format = TOFU_DB_FLAT;
|
|
if (DBG_TRUST)
|
|
log_debug ("Using flat format for TOFU DB.\n");
|
|
}
|
|
else if (have_tofu_d)
|
|
{
|
|
opt.tofu_db_format = TOFU_DB_SPLIT;
|
|
if (DBG_TRUST)
|
|
log_debug ("Using split format for TOFU DB.\n");
|
|
}
|
|
else
|
|
{
|
|
opt.tofu_db_format = TOFU_DB_SPLIT;
|
|
if (DBG_TRUST)
|
|
log_debug ("Using split format for TOFU DB.\n");
|
|
}
|
|
}
|
|
|
|
if (opt.tofu_db_format == TOFU_DB_FLAT)
|
|
{
|
|
db = opendb (NULL, DB_COMBINED);
|
|
if (! db)
|
|
return NULL;
|
|
}
|
|
else
|
|
{
|
|
/* Create a dummy entry so that we have a handle. */
|
|
}
|
|
|
|
dbs = xmalloc_clear (sizeof (*dbs));
|
|
dbs->db = db;
|
|
dbs->type = DB_COMBINED;
|
|
|
|
return dbs;
|
|
}
|
|
|
|
/* Release all of the resources associated with a DB meta-handle. */
|
|
static void
|
|
closedbs (struct db *dbs)
|
|
{
|
|
struct db *db;
|
|
struct db *n;
|
|
|
|
/* The first entry is always the combined DB. */
|
|
assert (dbs->type == DB_COMBINED);
|
|
if (opt.tofu_db_format == TOFU_DB_FLAT)
|
|
{
|
|
/* If we are using the flat format, then there is only ever the
|
|
combined DB. */
|
|
assert (! dbs->next);
|
|
assert (dbs->db);
|
|
assert (dbs->db == combined_db);
|
|
}
|
|
else
|
|
/* In the split format, the combined record is just a place holder
|
|
so that we have a stable handle. */
|
|
assert (! dbs->db);
|
|
|
|
for (db = dbs; db; db = n)
|
|
{
|
|
n = db->next;
|
|
|
|
if (combined_db && db->db == combined_db)
|
|
{
|
|
assert (opt.tofu_db_format == TOFU_DB_FLAT);
|
|
assert (dbs == db);
|
|
assert (db->type == DB_COMBINED);
|
|
assert (! db->name[0]);
|
|
}
|
|
else if (db->db)
|
|
/* Not the dummy entry. */
|
|
{
|
|
if (dbs == db)
|
|
/* The first entry. */
|
|
{
|
|
assert (opt.tofu_db_format == TOFU_DB_FLAT);
|
|
assert (db->type == DB_COMBINED);
|
|
assert (! db->name[0]);
|
|
}
|
|
else
|
|
/* Not the first entry. */
|
|
{
|
|
assert (opt.tofu_db_format == TOFU_DB_SPLIT);
|
|
assert (db->type != DB_COMBINED);
|
|
assert (db->name[0]);
|
|
}
|
|
|
|
sqlite3_close (db->db);
|
|
}
|
|
else
|
|
/* The dummy entry. */
|
|
{
|
|
assert (opt.tofu_db_format == TOFU_DB_SPLIT);
|
|
assert (dbs == db);
|
|
assert (db->type == DB_COMBINED);
|
|
assert (! db->name[0]);
|
|
}
|
|
|
|
xfree (db);
|
|
}
|
|
}
|
|
|
|
|
|
/* Collect results of a select min (foo) ...; style query. Aborts if
|
|
the argument is not a valid integer (or real of the form X.0). */
|
|
static int
|
|
get_single_long_cb (void *cookie, int argc, char **argv, char **azColName)
|
|
{
|
|
long *count = cookie;
|
|
char *tail = NULL;
|
|
|
|
(void) azColName;
|
|
|
|
assert (argc == 1);
|
|
|
|
errno = 0;
|
|
*count = strtol (argv[0], &tail, 0);
|
|
if (errno || ! (strcmp (tail, ".0") == 0 || *tail == '\0'))
|
|
/* Abort. */
|
|
return 1;
|
|
return 0;
|
|
}
|
|
|
|
|
|
/* Record (or update) a trust policy about a (possibly new)
|
|
binding.
|
|
|
|
If SHOW_OLD is set, the binding's old policy is displayed. */
|
|
static gpg_error_t
|
|
record_binding (struct db *dbs, const char *fingerprint, const char *email,
|
|
const char *user_id, enum tofu_policy policy, int show_old)
|
|
{
|
|
sqlite3 *db_email = NULL, *db_key = NULL;
|
|
int rc;
|
|
char *err = NULL;
|
|
enum tofu_policy policy_old = TOFU_POLICY_NONE;
|
|
|
|
if (! (policy == TOFU_POLICY_AUTO
|
|
|| policy == TOFU_POLICY_GOOD
|
|
|| policy == TOFU_POLICY_UNKNOWN
|
|
|| policy == TOFU_POLICY_BAD
|
|
|| policy == TOFU_POLICY_ASK))
|
|
log_bug ("%s: Bad value for policy (%d)!\n", __func__, policy);
|
|
|
|
db_email = getdb (dbs, email, DB_EMAIL);
|
|
if (! db_email)
|
|
return gpg_error (GPG_ERR_GENERAL);
|
|
|
|
if (opt.tofu_db_format == TOFU_DB_SPLIT)
|
|
/* In the split format, we need to update two DBs. To keep them
|
|
consistent, we start a transaction on each. Note: this is the
|
|
only place where we start two transaction and we always start
|
|
transaction on the DB_KEY DB first, thus deadlock is not
|
|
possible. */
|
|
{
|
|
db_key = getdb (dbs, fingerprint, DB_KEY);
|
|
if (! db_key)
|
|
return gpg_error (GPG_ERR_GENERAL);
|
|
|
|
rc = sqlite3_exec (db_email, "begin transaction;", NULL, NULL, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error beginning transaction on TOFU %s database: %s\n"),
|
|
"email", err);
|
|
sqlite3_free (err);
|
|
return gpg_error (GPG_ERR_GENERAL);
|
|
}
|
|
|
|
rc = sqlite3_exec (db_key, "begin transaction;", NULL, NULL, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error beginning transaction on TOFU %s database: %s\n"),
|
|
"key", err);
|
|
sqlite3_free (err);
|
|
goto out_revert_one;
|
|
}
|
|
}
|
|
|
|
if (show_old)
|
|
/* Get the old policy. Since this is just for informational
|
|
purposes, there is no need to start a transaction or to die if
|
|
there is a failure. */
|
|
{
|
|
rc = sqlite3_exec_printf
|
|
(db_email, get_single_long_cb, &policy_old, &err,
|
|
"select policy from bindings where fingerprint = %Q and email = %Q",
|
|
fingerprint, email);
|
|
if (rc)
|
|
{
|
|
log_debug ("TOFU: Error reading from binding database"
|
|
" (reading policy for <%s, %s>): %s\n",
|
|
fingerprint, email, err);
|
|
sqlite3_free (err);
|
|
}
|
|
}
|
|
|
|
if (DBG_TRUST)
|
|
{
|
|
if (policy_old != TOFU_POLICY_NONE)
|
|
log_debug ("Changing TOFU trust policy for binding <%s, %s>"
|
|
" from %s to %s.\n",
|
|
fingerprint, email,
|
|
tofu_policy_str (policy_old),
|
|
tofu_policy_str (policy));
|
|
else
|
|
log_debug ("Set TOFU trust policy for binding <%s, %s> to %s.\n",
|
|
fingerprint, email,
|
|
tofu_policy_str (policy));
|
|
}
|
|
|
|
if (policy_old == policy)
|
|
/* Nothing to do. */
|
|
goto out;
|
|
|
|
rc = sqlite3_exec_printf
|
|
(db_email, NULL, NULL, &err,
|
|
"insert or replace into bindings\n"
|
|
" (oid, fingerprint, email, user_id, time, policy)\n"
|
|
" values (\n"
|
|
/* If we don't explicitly reuse the OID, then SQLite will
|
|
reallocate a new one. We just need to search for the OID
|
|
based on the fingerprint and email since they are unique. */
|
|
" (select oid from bindings where fingerprint = %Q and email = %Q),\n"
|
|
" %Q, %Q, %Q, strftime('%%s','now'), %d);",
|
|
fingerprint, email, fingerprint, email, user_id, policy);
|
|
if (rc)
|
|
{
|
|
log_error (_("error updating TOFU binding database"
|
|
" (inserting <%s, %s> = %s): %s\n"),
|
|
fingerprint, email, tofu_policy_str (policy),
|
|
err);
|
|
sqlite3_free (err);
|
|
goto out;
|
|
}
|
|
|
|
if (db_key)
|
|
/* We also need to update the key DB. */
|
|
{
|
|
assert (opt.tofu_db_format == TOFU_DB_SPLIT);
|
|
|
|
rc = sqlite3_exec_printf
|
|
(db_key, NULL, NULL, &err,
|
|
"insert or replace into bindings\n"
|
|
" (oid, fingerprint, email, user_id)\n"
|
|
" values (\n"
|
|
/* If we don't explicitly reuse the OID, then SQLite will
|
|
reallocate a new one. We just need to search for the OID
|
|
based on the fingerprint and email since they are unique. */
|
|
" (select oid from bindings where fingerprint = %Q and email = %Q),\n"
|
|
" %Q, %Q, %Q);",
|
|
fingerprint, email, fingerprint, email, user_id);
|
|
if (rc)
|
|
{
|
|
log_error (_("error updating TOFU binding database"
|
|
" (inserting <%s, %s>): %s\n"),
|
|
fingerprint, email, err);
|
|
sqlite3_free (err);
|
|
goto out;
|
|
}
|
|
}
|
|
else
|
|
assert (opt.tofu_db_format == TOFU_DB_FLAT);
|
|
|
|
out:
|
|
if (opt.tofu_db_format == TOFU_DB_SPLIT)
|
|
/* We only need a transaction for the split format. */
|
|
{
|
|
int rc2;
|
|
|
|
rc2 = sqlite3_exec_printf (db_key, NULL, NULL, &err,
|
|
rc ? "rollback;" : "end transaction;");
|
|
if (rc2)
|
|
{
|
|
log_error (_("error ending transaction on TOFU database: %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
}
|
|
|
|
out_revert_one:
|
|
rc2 = sqlite3_exec_printf (db_email, NULL, NULL, &err,
|
|
rc ? "rollback;" : "end transaction;");
|
|
if (rc2)
|
|
{
|
|
log_error (_("error ending transaction on TOFU database: %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
}
|
|
}
|
|
|
|
if (rc)
|
|
return gpg_error (GPG_ERR_GENERAL);
|
|
return 0;
|
|
}
|
|
|
|
|
|
/* Collect the strings returned by a query in a simply string list.
|
|
Any NULL values are converted to the empty string.
|
|
|
|
If a result has 3 rows and each row contains two columns, then the
|
|
results are added to the list as follows (the value is parentheses
|
|
is the 1-based index in the final list):
|
|
|
|
row 1, col 2 (6)
|
|
row 1, col 1 (5)
|
|
row 2, col 2 (4)
|
|
row 2, col 1 (3)
|
|
row 3, col 2 (2)
|
|
row 3, col 1 (1)
|
|
|
|
This is because add_to_strlist pushes the results onto the front of
|
|
the list. The end result is that the rows are backwards, but the
|
|
columns are in the expected order. */
|
|
static int
|
|
strings_collect_cb (void *cookie, int argc, char **argv, char **azColName)
|
|
{
|
|
int i;
|
|
strlist_t *strlist = cookie;
|
|
|
|
(void) azColName;
|
|
|
|
for (i = argc - 1; i >= 0; i --)
|
|
add_to_strlist (strlist, argv[i] ? argv[i] : "");
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Auxiliary data structure to collect statistics about
|
|
signatures. */
|
|
struct signature_stats
|
|
{
|
|
struct signature_stats *next;
|
|
|
|
/* The user-assigned policy for this binding. */
|
|
enum tofu_policy policy;
|
|
|
|
/* How long ago the signature was created (rounded to a multiple of
|
|
TIME_AGO_UNIT_SMALL, etc.). */
|
|
long time_ago;
|
|
/* Number of signatures during this time. */
|
|
unsigned long count;
|
|
|
|
/* The key that generated this signature. */
|
|
char fingerprint[1];
|
|
};
|
|
|
|
static void
|
|
signature_stats_free (struct signature_stats *stats)
|
|
{
|
|
while (stats)
|
|
{
|
|
struct signature_stats *next = stats->next;
|
|
xfree (stats);
|
|
stats = next;
|
|
}
|
|
}
|
|
|
|
static void
|
|
signature_stats_prepend (struct signature_stats **statsp,
|
|
const char *fingerprint,
|
|
enum tofu_policy policy,
|
|
long time_ago,
|
|
unsigned long count)
|
|
{
|
|
struct signature_stats *stats =
|
|
xmalloc (sizeof (*stats) + strlen (fingerprint));
|
|
|
|
stats->next = *statsp;
|
|
*statsp = stats;
|
|
|
|
strcpy (stats->fingerprint, fingerprint);
|
|
stats->policy = policy;
|
|
stats->time_ago = time_ago;
|
|
stats->count = count;
|
|
}
|
|
|
|
|
|
/* Process rows that contain the four columns:
|
|
|
|
<fingerprint, policy, time ago, count>. */
|
|
static int
|
|
signature_stats_collect_cb (void *cookie, int argc, char **argv,
|
|
char **azColName)
|
|
{
|
|
struct signature_stats **statsp = cookie;
|
|
char *tail;
|
|
int i = 0;
|
|
enum tofu_policy policy;
|
|
long time_ago;
|
|
unsigned long count;
|
|
|
|
(void) azColName;
|
|
|
|
i ++;
|
|
|
|
tail = NULL;
|
|
errno = 0;
|
|
policy = strtol (argv[i], &tail, 0);
|
|
if (errno || ! (strcmp (tail, ".0") == 0 || *tail == '\0'))
|
|
{
|
|
/* Abort. */
|
|
log_error ("%s: Error converting %s to an integer (tail = '%s')\n",
|
|
__func__, argv[i], tail);
|
|
return 1;
|
|
}
|
|
i ++;
|
|
|
|
tail = NULL;
|
|
errno = 0;
|
|
time_ago = strtol (argv[i], &tail, 0);
|
|
if (errno || ! (strcmp (tail, ".0") == 0 || *tail == '\0'))
|
|
{
|
|
/* Abort. */
|
|
log_error ("%s: Error converting %s to an integer (tail = '%s')\n",
|
|
__func__, argv[i], tail);
|
|
return 1;
|
|
}
|
|
i ++;
|
|
|
|
tail = NULL;
|
|
errno = 0;
|
|
count = strtoul (argv[i], &tail, 0);
|
|
if (errno || ! (strcmp (tail, ".0") == 0 || *tail == '\0'))
|
|
{
|
|
/* Abort. */
|
|
log_error ("%s: Error converting %s to an integer (tail = '%s')\n",
|
|
__func__, argv[i], tail);
|
|
return 1;
|
|
}
|
|
i ++;
|
|
|
|
assert (argc == i);
|
|
|
|
signature_stats_prepend (statsp, argv[0], policy, time_ago, count);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Convert from seconds to time units.
|
|
|
|
Note: T should already be a multiple of TIME_AGO_UNIT_SMALL or
|
|
TIME_AGO_UNIT_MEDIUM or TIME_AGO_UNIT_LARGE. */
|
|
signed long
|
|
time_ago_scale (signed long t)
|
|
{
|
|
if (t < TIME_AGO_UNIT_MEDIUM)
|
|
return t / TIME_AGO_UNIT_SMALL;
|
|
if (t < TIME_AGO_UNIT_LARGE)
|
|
return t / TIME_AGO_UNIT_MEDIUM;
|
|
return t / TIME_AGO_UNIT_LARGE;
|
|
}
|
|
|
|
/* Return the appropriate unit (respecting whether it is plural or
|
|
singular). */
|
|
const char *
|
|
time_ago_unit (signed long t)
|
|
{
|
|
signed long t_scaled = time_ago_scale (t);
|
|
|
|
if (t < TIME_AGO_UNIT_MEDIUM)
|
|
{
|
|
if (t_scaled == 1)
|
|
return TIME_AGO_UNIT_SMALL_NAME;
|
|
return TIME_AGO_UNIT_SMALL_NAME_PLURAL;
|
|
}
|
|
if (t < TIME_AGO_UNIT_LARGE)
|
|
{
|
|
if (t_scaled == 1)
|
|
return TIME_AGO_UNIT_MEDIUM_NAME;
|
|
return TIME_AGO_UNIT_MEDIUM_NAME_PLURAL;
|
|
}
|
|
if (t_scaled == 1)
|
|
return TIME_AGO_UNIT_LARGE_NAME;
|
|
return TIME_AGO_UNIT_LARGE_NAME_PLURAL;
|
|
}
|
|
|
|
|
|
/* Return the policy for the binding <FINGERPRINT, EMAIL> (email has
|
|
already been normalized) and any conflict information in *CONFLICT
|
|
if CONFLICT is not NULL. Returns _tofu_GET_POLICY_ERROR if an error
|
|
occurs. */
|
|
static enum tofu_policy
|
|
get_policy (struct db *dbs, const char *fingerprint, const char *email,
|
|
char **conflict)
|
|
{
|
|
sqlite3 *db;
|
|
int rc;
|
|
char *err = NULL;
|
|
strlist_t strlist = NULL;
|
|
char *tail = NULL;
|
|
enum tofu_policy policy = _tofu_GET_POLICY_ERROR;
|
|
|
|
db = getdb (dbs, email, DB_EMAIL);
|
|
if (! db)
|
|
return _tofu_GET_POLICY_ERROR;
|
|
|
|
/* Check if the <FINGERPRINT, EMAIL> binding is known
|
|
(TOFU_POLICY_NONE cannot appear in the DB. Thus, if POLICY is
|
|
still TOFU_POLICY_NONE after executing the query, then the
|
|
result set was empty.) */
|
|
rc = sqlite3_exec_printf
|
|
(db, strings_collect_cb, &strlist, &err,
|
|
"select policy, conflict from bindings\n"
|
|
" where fingerprint = %Q and email = %Q",
|
|
fingerprint, email);
|
|
if (rc)
|
|
{
|
|
log_error (_("error reading from TOFU database"
|
|
" (checking for existing bad bindings): %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
goto out;
|
|
}
|
|
|
|
if (strlist_length (strlist) == 0)
|
|
/* No results. */
|
|
{
|
|
policy = TOFU_POLICY_NONE;
|
|
goto out;
|
|
}
|
|
else if (strlist_length (strlist) != 2)
|
|
/* The result has the wrong form. */
|
|
{
|
|
log_error (_("error reading from TOFU database"
|
|
" (checking for existing bad bindings):"
|
|
" expected 2 results, got %d\n"),
|
|
strlist_length (strlist));
|
|
goto out;
|
|
}
|
|
|
|
/* The result has the right form. */
|
|
|
|
errno = 0;
|
|
policy = strtol (strlist->d, &tail, 0);
|
|
if (errno || *tail != '\0')
|
|
{
|
|
log_error (_("error reading from TOFU database: bad value for policy: %s\n"),
|
|
strlist->d);
|
|
goto out;
|
|
}
|
|
|
|
if (! (policy == TOFU_POLICY_AUTO
|
|
|| policy == TOFU_POLICY_GOOD
|
|
|| policy == TOFU_POLICY_UNKNOWN
|
|
|| policy == TOFU_POLICY_BAD
|
|
|| policy == TOFU_POLICY_ASK))
|
|
{
|
|
log_error (_("TOFU DB is corrupted. Invalid value for policy (%d).\n"),
|
|
policy);
|
|
policy = _tofu_GET_POLICY_ERROR;
|
|
goto out;
|
|
}
|
|
|
|
|
|
/* If CONFLICT is set, then policy should be TOFU_POLICY_ASK. But,
|
|
just in case, we do the check again here and ignore the conflict
|
|
is POLICY is not TOFU_POLICY_ASK. */
|
|
if (conflict)
|
|
{
|
|
if (policy == TOFU_POLICY_ASK && *strlist->next->d)
|
|
*conflict = xstrdup (strlist->next->d);
|
|
else
|
|
*conflict = NULL;
|
|
}
|
|
|
|
out:
|
|
assert (policy == _tofu_GET_POLICY_ERROR
|
|
|| policy == TOFU_POLICY_NONE
|
|
|| policy == TOFU_POLICY_AUTO
|
|
|| policy == TOFU_POLICY_GOOD
|
|
|| policy == TOFU_POLICY_UNKNOWN
|
|
|| policy == TOFU_POLICY_BAD
|
|
|| policy == TOFU_POLICY_ASK);
|
|
|
|
free_strlist (strlist);
|
|
|
|
return policy;
|
|
}
|
|
|
|
/* Return the trust level (TRUST_NEVER, etc.) for the binding
|
|
<FINGERPRINT, EMAIL> (email is already normalized). If no policy
|
|
is registered, returns TOFU_POLICY_NONE. If an error occurs,
|
|
returns _tofu_GET_TRUST_ERROR.
|
|
|
|
USER_ID is the unadultered user id.
|
|
|
|
If MAY_ASK is set, then we may interact with the user. This is
|
|
necessary if there is a conflict or the binding's policy is
|
|
TOFU_POLICY_ASK. In the case of a conflict, we set the new
|
|
conflicting binding's policy to TOFU_POLICY_ASK. In either case,
|
|
we return TRUST_UNDEFINED. */
|
|
static enum tofu_policy
|
|
get_trust (struct db *dbs, const char *fingerprint, const char *email,
|
|
const char *user_id, int may_ask)
|
|
{
|
|
sqlite3 *db;
|
|
enum tofu_policy policy;
|
|
char *conflict = NULL;
|
|
int rc;
|
|
char *err = NULL;
|
|
strlist_t bindings_with_this_email = NULL;
|
|
int bindings_with_this_email_count;
|
|
int change_conflicting_to_ask = 0;
|
|
int trust_level = TRUST_UNKNOWN;
|
|
|
|
if (opt.batch)
|
|
may_ask = 0;
|
|
|
|
/* Make sure _tofu_GET_TRUST_ERROR isn't equal to any of the trust
|
|
levels. */
|
|
assert (_tofu_GET_TRUST_ERROR != TRUST_UNKNOWN
|
|
&& _tofu_GET_TRUST_ERROR != TRUST_EXPIRED
|
|
&& _tofu_GET_TRUST_ERROR != TRUST_UNDEFINED
|
|
&& _tofu_GET_TRUST_ERROR != TRUST_NEVER
|
|
&& _tofu_GET_TRUST_ERROR != TRUST_MARGINAL
|
|
&& _tofu_GET_TRUST_ERROR != TRUST_FULLY
|
|
&& _tofu_GET_TRUST_ERROR != TRUST_ULTIMATE);
|
|
|
|
db = getdb (dbs, email, DB_EMAIL);
|
|
if (! db)
|
|
return _tofu_GET_TRUST_ERROR;
|
|
|
|
policy = get_policy (dbs, fingerprint, email, &conflict);
|
|
if (policy == TOFU_POLICY_AUTO)
|
|
{
|
|
policy = opt.tofu_default_policy;
|
|
if (DBG_TRUST)
|
|
log_debug ("TOFU: binding <%s, %s>'s policy is auto (default: %s).\n",
|
|
fingerprint, email,
|
|
tofu_policy_str (opt.tofu_default_policy));
|
|
}
|
|
switch (policy)
|
|
{
|
|
case TOFU_POLICY_AUTO:
|
|
case TOFU_POLICY_GOOD:
|
|
case TOFU_POLICY_UNKNOWN:
|
|
case TOFU_POLICY_BAD:
|
|
/* The saved judgement is auto -> auto, good, unknown or bad.
|
|
We don't need to ask the user anything. */
|
|
if (DBG_TRUST)
|
|
log_debug ("TOFU: Known binding <%s, %s>'s policy: %s\n",
|
|
fingerprint, email, tofu_policy_str (policy));
|
|
trust_level = tofu_policy_to_trust_level (policy);
|
|
goto out;
|
|
|
|
case TOFU_POLICY_ASK:
|
|
/* We need to ask the user what to do. Case #1 or #2 below. */
|
|
if (! may_ask)
|
|
{
|
|
trust_level = TRUST_UNDEFINED;
|
|
goto out;
|
|
}
|
|
|
|
break;
|
|
|
|
case TOFU_POLICY_NONE:
|
|
/* The binding is new, we need to check for conflicts. Case #3
|
|
below. */
|
|
break;
|
|
|
|
case _tofu_GET_POLICY_ERROR:
|
|
trust_level = _tofu_GET_TRUST_ERROR;
|
|
goto out;
|
|
|
|
default:
|
|
log_bug ("%s: Impossible value for policy (%d)\n", __func__, policy);
|
|
}
|
|
|
|
|
|
/* We get here if:
|
|
|
|
1. The saved policy is auto and the default policy is ask
|
|
(get_policy() == TOFU_POLICY_AUTO
|
|
&& opt.tofu_default_policy == TOFU_POLICY_ASK)
|
|
|
|
2. The saved policy is ask (either last time the user selected
|
|
accept once or reject once or there was a conflict and this
|
|
binding's policy was changed from auto to ask)
|
|
(policy == TOFU_POLICY_ASK), or,
|
|
|
|
3. We don't have a saved policy (policy == TOFU_POLICY_NONE)
|
|
(need to check for a conflict).
|
|
*/
|
|
|
|
/* Look for conflicts. This is need in all 3 cases.
|
|
|
|
Get the fingerprints of any bindings that share the email
|
|
address. Note: if the binding in question is in the DB, it will
|
|
also be returned. Thus, if the result set is empty, then this is
|
|
a new binding. */
|
|
rc = sqlite3_exec_printf
|
|
(db, strings_collect_cb, &bindings_with_this_email, &err,
|
|
"select distinct fingerprint from bindings where email = %Q;",
|
|
email);
|
|
if (rc)
|
|
{
|
|
log_error (_("error reading from TOFU database"
|
|
" (listing fingerprints): %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
goto out;
|
|
}
|
|
|
|
bindings_with_this_email_count = strlist_length (bindings_with_this_email);
|
|
if (bindings_with_this_email_count == 0
|
|
&& opt.tofu_default_policy != TOFU_POLICY_ASK)
|
|
/* New binding with no conflict and a concrete default policy.
|
|
|
|
We've never observed a binding with this email address
|
|
(BINDINGS_WITH_THIS_EMAIL_COUNT is 0 and the above query would return
|
|
the current binding if it were in the DB) and we have a default
|
|
policy, which is not to ask the user. */
|
|
{
|
|
/* If we've seen this binding, then we've seen this email and
|
|
policy couldn't possibly be TOFU_POLICY_NONE. */
|
|
assert (policy == TOFU_POLICY_NONE);
|
|
|
|
if (DBG_TRUST)
|
|
log_debug ("TOFU: New binding <%s, %s>, no conflict.\n",
|
|
email, fingerprint);
|
|
|
|
if (record_binding (dbs, fingerprint, email, user_id,
|
|
TOFU_POLICY_AUTO, 0) != 0)
|
|
{
|
|
log_error (_("error setting TOFU binding's trust level to %s\n"),
|
|
"auto");
|
|
trust_level = _tofu_GET_TRUST_ERROR;
|
|
goto out;
|
|
}
|
|
|
|
trust_level = tofu_policy_to_trust_level (TOFU_POLICY_AUTO);
|
|
goto out;
|
|
}
|
|
|
|
if (policy == TOFU_POLICY_NONE)
|
|
/* This is a new binding and we have a conflict. Mark any
|
|
conflicting bindings that have an automatic policy as now
|
|
requiring confirmation. Note: we delay this until after we ask
|
|
for confirmation so that when the current policy is printed, it
|
|
is correct. */
|
|
change_conflicting_to_ask = 1;
|
|
|
|
if (! may_ask)
|
|
/* We can only get here in the third case (no saved policy) and if
|
|
there is a conflict. (If the policy was ask (cases #1 and #2)
|
|
and we weren't allowed to ask, we'd have already exited). */
|
|
{
|
|
assert (policy == TOFU_POLICY_NONE);
|
|
|
|
if (record_binding (dbs, fingerprint, email, user_id,
|
|
TOFU_POLICY_ASK, 0) != 0)
|
|
log_error (_("error setting TOFU binding's trust level to %s\n"),
|
|
"ask");
|
|
|
|
trust_level = TRUST_UNDEFINED;
|
|
goto out;
|
|
}
|
|
|
|
/* If we get here, we need to ask the user about the binding. There
|
|
are three ways we could end up here:
|
|
|
|
- This is a new binding and there is a conflict
|
|
(policy == TOFU_POLICY_NONE && bindings_with_this_email_count > 0),
|
|
|
|
- This is a new binding and opt.tofu_default_policy is set to
|
|
ask. (policy == TOFU_POLICY_NONE && opt.tofu_default_policy ==
|
|
TOFU_POLICY_ASK), or,
|
|
|
|
- The policy is ask (the user deferred last time) (policy ==
|
|
TOFU_POLICY_ASK).
|
|
*/
|
|
{
|
|
int is_conflict =
|
|
((policy == TOFU_POLICY_NONE && bindings_with_this_email_count > 0)
|
|
|| (policy == TOFU_POLICY_ASK && conflict));
|
|
estream_t fp;
|
|
char *binding;
|
|
int binding_shown;
|
|
strlist_t other_user_ids = NULL;
|
|
struct signature_stats *stats = NULL;
|
|
struct signature_stats *stats_iter = NULL;
|
|
char *prompt;
|
|
char *choices;
|
|
|
|
fp = es_fopenmem (0, "rw,samethread");
|
|
if (! fp)
|
|
log_fatal ("Error creating memory stream\n");
|
|
|
|
binding = xasprintf ("<%s, %s>", fingerprint, email);
|
|
binding_shown = 0;
|
|
|
|
if (policy == TOFU_POLICY_NONE)
|
|
{
|
|
es_fprintf (fp, _("The binding %s is NOT known. "), binding);
|
|
binding_shown = 1;
|
|
}
|
|
else if (policy == TOFU_POLICY_ASK
|
|
/* If there the conflict is with itself, then don't
|
|
display this message. */
|
|
&& conflict && strcmp (conflict, fingerprint) != 0)
|
|
{
|
|
es_fprintf (fp,
|
|
_("%s raised a conflict with this binding. Since this"
|
|
" binding's policy was 'auto', it was changed to 'ask'. "),
|
|
binding);
|
|
binding_shown = 1;
|
|
}
|
|
es_fprintf (fp,
|
|
_("Please indicate whether you believe the binding %s%s"
|
|
"is legitimate (the key belongs to the stated owner) "
|
|
"or a forgery (bad).\n\n"),
|
|
binding_shown ? "" : binding,
|
|
binding_shown ? "" : " ");
|
|
|
|
xfree (binding);
|
|
|
|
/* Find other user ids associated with this key and whether the
|
|
bindings are marked as good or bad. */
|
|
{
|
|
sqlite3 *db_key;
|
|
|
|
if (opt.tofu_db_format == TOFU_DB_SPLIT)
|
|
/* In the split format, we need to search in the fingerprint
|
|
DB for all the emails associated with this key, not the
|
|
email DB. */
|
|
db_key = getdb (dbs, fingerprint, DB_KEY);
|
|
else
|
|
db_key = db;
|
|
|
|
if (db_key)
|
|
{
|
|
rc = sqlite3_exec_printf
|
|
(db_key, strings_collect_cb, &other_user_ids, &err,
|
|
"select user_id, %s from bindings where fingerprint = %Q;",
|
|
opt.tofu_db_format == TOFU_DB_SPLIT ? "email" : "policy",
|
|
fingerprint);
|
|
if (rc)
|
|
{
|
|
log_error (_("error gathering other user ids: %s.\n"), err);
|
|
sqlite3_free (err);
|
|
err = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (other_user_ids)
|
|
{
|
|
strlist_t strlist_iter;
|
|
|
|
es_fprintf (fp, _("Known user ids associated with this key:\n"));
|
|
for (strlist_iter = other_user_ids;
|
|
strlist_iter;
|
|
strlist_iter = strlist_iter->next)
|
|
{
|
|
char *other_user_id = strlist_iter->d;
|
|
char *other_thing;
|
|
enum tofu_policy other_policy;
|
|
|
|
assert (strlist_iter->next);
|
|
strlist_iter = strlist_iter->next;
|
|
other_thing = strlist_iter->d;
|
|
|
|
if (opt.tofu_db_format == TOFU_DB_SPLIT)
|
|
other_policy = get_policy (dbs, fingerprint, other_thing, NULL);
|
|
else
|
|
other_policy = atoi (other_thing);
|
|
|
|
es_fprintf (fp, _(" %s (policy: %s)\n"),
|
|
other_user_id,
|
|
tofu_policy_str (other_policy));
|
|
}
|
|
es_fprintf (fp, "\n");
|
|
|
|
free_strlist (other_user_ids);
|
|
}
|
|
|
|
/* Find other keys associated with this email address. */
|
|
/* XXX: When generating the statistics, do we want the time
|
|
embedded in the signature (column 'sig_time') or the time that
|
|
we first verified the signature (column 'time'). */
|
|
rc = sqlite3_exec_printf
|
|
(db, signature_stats_collect_cb, &stats, &err,
|
|
"select fingerprint, policy, time_ago, count(*)\n"
|
|
" from (select bindings.*,\n"
|
|
" case\n"
|
|
/* From the future (but if its just a couple of hours in the
|
|
future don't turn it into a warning)? Or should we use
|
|
small, medium or large units? (Note: whatever we do, we
|
|
keep the value in seconds. Then when we group, everything
|
|
that rounds to the same number of seconds is grouped.) */
|
|
" when delta < -%d then -1\n"
|
|
" when delta < %d then max(0, round(delta / %d) * %d)\n"
|
|
" when delta < %d then round(delta / %d) * %d\n"
|
|
" else round(delta / %d) * %d\n"
|
|
" end time_ago,\n"
|
|
" delta time_ago_raw\n"
|
|
" from (select *,\n"
|
|
" cast(strftime('%%s','now') - sig_time as real) delta\n"
|
|
" from signatures) ss\n"
|
|
" left join bindings on ss.binding = bindings.oid)\n"
|
|
" where email = %Q\n"
|
|
" group by fingerprint, time_ago\n"
|
|
/* Make sure the current key is first. */
|
|
" order by fingerprint = %Q asc, fingerprint desc, time_ago desc;\n",
|
|
TIME_AGO_FUTURE_IGNORE,
|
|
TIME_AGO_MEDIUM_THRESHOLD, TIME_AGO_UNIT_SMALL, TIME_AGO_UNIT_SMALL,
|
|
TIME_AGO_LARGE_THRESHOLD, TIME_AGO_UNIT_MEDIUM, TIME_AGO_UNIT_MEDIUM,
|
|
TIME_AGO_UNIT_LARGE, TIME_AGO_UNIT_LARGE,
|
|
email, fingerprint);
|
|
if (rc)
|
|
{
|
|
strlist_t strlist_iter;
|
|
|
|
log_error (_("error gathering signature stats: %s.\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
err = NULL;
|
|
|
|
es_fprintf
|
|
(fp, _("The email address (%s) is associated with %d keys:\n"),
|
|
email, bindings_with_this_email_count);
|
|
for (strlist_iter = bindings_with_this_email;
|
|
strlist_iter;
|
|
strlist_iter = strlist_iter->next)
|
|
es_fprintf (fp, _(" %s\n"), strlist_iter->d);
|
|
}
|
|
else
|
|
{
|
|
char *key = NULL;
|
|
|
|
if (! stats || strcmp (stats->fingerprint, fingerprint) != 0)
|
|
/* If we have already added this key to the DB, then it will
|
|
be first (see the above select). Since the first key on
|
|
the list is not this key, we must not yet have verified
|
|
any messages signed by this key. Add a dummy entry. */
|
|
signature_stats_prepend (&stats, fingerprint, TOFU_POLICY_AUTO, 0, 0);
|
|
|
|
es_fprintf (fp, _("Statistics for keys with the email '%s':\n"),
|
|
email);
|
|
for (stats_iter = stats; stats_iter; stats_iter = stats_iter->next)
|
|
{
|
|
if (! key || strcmp (key, stats_iter->fingerprint) != 0)
|
|
{
|
|
int this_key;
|
|
key = stats_iter->fingerprint;
|
|
this_key = strcmp (key, fingerprint) == 0;
|
|
if (this_key)
|
|
es_fprintf (fp, _(" %s (this key):"), key);
|
|
else
|
|
es_fprintf (fp, _(" %s (policy: %s):"),
|
|
key, tofu_policy_str (stats_iter->policy));
|
|
es_fprintf (fp, "\n");
|
|
}
|
|
|
|
if (stats_iter->time_ago == -1)
|
|
es_fprintf (fp, _(" %ld %s signed in the future.\n"),
|
|
stats_iter->count,
|
|
stats_iter->count == 1
|
|
? _("message") : _("messages"));
|
|
else if (stats_iter->count == 0)
|
|
es_fprintf (fp, _(" 0 signed messages.\n"));
|
|
else
|
|
es_fprintf (fp, _(" %ld %s signed over the past %ld %s.\n"),
|
|
stats_iter->count,
|
|
stats_iter->count == 1
|
|
? _("message") : _("messages"),
|
|
time_ago_scale (stats_iter->time_ago),
|
|
time_ago_unit (stats_iter->time_ago));
|
|
}
|
|
}
|
|
|
|
if (is_conflict)
|
|
{
|
|
/* TRANSLATORS: translate the below text. We don't directly
|
|
internationalize that text so that we can tweak it without
|
|
breaking translations. */
|
|
char *text = _("TOFU detected a binding conflict");
|
|
if (strcmp (text, "TOFU detected a binding conflict") == 0)
|
|
/* No translation. Use the English text. */
|
|
text =
|
|
"Normally, there is only a single key associated with an email "
|
|
"address. However, people sometimes generate a new key if "
|
|
"their key is too old or they think it might be compromised. "
|
|
"Alternatively, a new key may indicate a man-in-the-middle"
|
|
"attack! Before accepting this key, you should talk to or "
|
|
"call the person to make sure this new key is legitimate.";
|
|
es_fprintf (fp, "\n%s\n", text);
|
|
}
|
|
|
|
es_fputc ('\n', fp);
|
|
/* TRANSLATORS: Two letters (normally the lower and upper case
|
|
version of the hotkey) for each of the five choices. If there
|
|
is only one choice in your language, repeat it. */
|
|
choices = _("gG" "aA" "uU" "rR" "bB");
|
|
es_fprintf (fp, _("(G)ood/(A)ccept once/(U)nknown/(R)eject once/(B)ad? "));
|
|
|
|
/* Add a NUL terminator. */
|
|
es_fputc (0, fp);
|
|
if (es_fclose_snatch (fp, (void **) &prompt, NULL))
|
|
log_fatal ("error snatching memory stream\n");
|
|
|
|
while (1)
|
|
{
|
|
char *response;
|
|
|
|
if (strlen (choices) != 10)
|
|
log_bug ("Bad TOFU conflict translation! Please report.");
|
|
|
|
response = cpr_get ("tofu conflict", prompt);
|
|
trim_spaces (response);
|
|
cpr_kill_prompt ();
|
|
if (strlen (response) == 1)
|
|
{
|
|
char *choice = strchr (choices, *response);
|
|
if (choice)
|
|
{
|
|
int c = ((size_t) choice - (size_t) choices) / 2;
|
|
assert (0 <= c && c <= 4);
|
|
|
|
switch (c)
|
|
{
|
|
case 0: /* Good. */
|
|
policy = TOFU_POLICY_GOOD;
|
|
trust_level = tofu_policy_to_trust_level (policy);
|
|
break;
|
|
case 1: /* Accept once. */
|
|
policy = TOFU_POLICY_ASK;
|
|
trust_level =
|
|
tofu_policy_to_trust_level (TOFU_POLICY_GOOD);
|
|
break;
|
|
case 2: /* Unknown. */
|
|
policy = TOFU_POLICY_UNKNOWN;
|
|
trust_level = tofu_policy_to_trust_level (policy);
|
|
break;
|
|
case 3: /* Reject once. */
|
|
policy = TOFU_POLICY_ASK;
|
|
trust_level =
|
|
tofu_policy_to_trust_level (TOFU_POLICY_BAD);
|
|
break;
|
|
case 4: /* Bad. */
|
|
policy = TOFU_POLICY_BAD;
|
|
trust_level = tofu_policy_to_trust_level (policy);
|
|
break;
|
|
default:
|
|
log_bug ("c should be between 0 and 4 but it is %d!", c);
|
|
}
|
|
|
|
if (record_binding (dbs, fingerprint, email, user_id,
|
|
policy, 0) != 0)
|
|
/* If there's an error registering the
|
|
binding, don't save the signature. */
|
|
trust_level = _tofu_GET_TRUST_ERROR;
|
|
|
|
break;
|
|
}
|
|
}
|
|
xfree (response);
|
|
}
|
|
|
|
xfree (prompt);
|
|
|
|
signature_stats_free (stats);
|
|
}
|
|
|
|
out:
|
|
if (change_conflicting_to_ask)
|
|
{
|
|
if (! may_ask)
|
|
/* If we weren't allowed to ask, also update this key as
|
|
conflicting with itself. */
|
|
rc = sqlite3_exec_printf
|
|
(db, NULL, NULL, &err,
|
|
"update bindings set policy = %d, conflict = %Q"
|
|
" where email = %Q"
|
|
" and (policy = %d or (policy = %d and fingerprint = %Q));",
|
|
TOFU_POLICY_ASK, fingerprint, email, TOFU_POLICY_AUTO,
|
|
TOFU_POLICY_ASK, fingerprint);
|
|
else
|
|
rc = sqlite3_exec_printf
|
|
(db, NULL, NULL, &err,
|
|
"update bindings set policy = %d, conflict = %Q"
|
|
" where email = %Q and fingerprint != %Q and policy = %d;",
|
|
TOFU_POLICY_ASK, fingerprint, email, fingerprint, TOFU_POLICY_AUTO);
|
|
if (rc)
|
|
{
|
|
log_error (_("error changing TOFU policy: %s\n"), err);
|
|
sqlite3_free (err);
|
|
goto out;
|
|
}
|
|
}
|
|
|
|
xfree (conflict);
|
|
free_strlist (bindings_with_this_email);
|
|
|
|
return trust_level;
|
|
}
|
|
|
|
static void
|
|
show_statistics (struct db *dbs, const char *fingerprint,
|
|
const char *email, const char *user_id,
|
|
const char *sig_exclude)
|
|
{
|
|
sqlite3 *db;
|
|
int rc;
|
|
strlist_t strlist = NULL;
|
|
char *err = NULL;
|
|
|
|
db = getdb (dbs, email, DB_EMAIL);
|
|
if (! db)
|
|
return;
|
|
|
|
rc = sqlite3_exec_printf
|
|
(db, strings_collect_cb, &strlist, &err,
|
|
"select count (*), strftime('%%s','now') - min (signatures.time)\n"
|
|
" from signatures\n"
|
|
" left join bindings on signatures.binding = bindings.oid\n"
|
|
" where fingerprint = %Q and email = %Q and sig_digest %s%s%s;",
|
|
fingerprint, email,
|
|
/* We want either: sig_digest != 'SIG_EXCLUDE' or sig_digest is
|
|
not NULL. */
|
|
sig_exclude ? "!= '" : "is not NULL",
|
|
sig_exclude ? sig_exclude : "",
|
|
sig_exclude ? "'" : "");
|
|
if (rc)
|
|
{
|
|
log_error (_("error reading from TOFU database"
|
|
" (getting statistics): %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
goto out;
|
|
}
|
|
|
|
if (! strlist)
|
|
log_info (_("Have never verified a message signed by key %s!\n"),
|
|
fingerprint);
|
|
else
|
|
{
|
|
char *tail = NULL;
|
|
signed long messages;
|
|
signed long first_seen_ago;
|
|
|
|
assert (strlist_length (strlist) == 2);
|
|
|
|
errno = 0;
|
|
messages = strtol (strlist->d, &tail, 0);
|
|
if (errno || *tail != '\0')
|
|
/* Abort. */
|
|
{
|
|
log_debug ("%s:%d: Couldn't convert %s (messages) to an int: %s.\n",
|
|
__func__, __LINE__, strlist->d, strerror (errno));
|
|
messages = -1;
|
|
}
|
|
|
|
if (messages == 0 && *strlist->next->d == '\0')
|
|
/* min(NULL) => NULL => "". */
|
|
first_seen_ago = -1;
|
|
else
|
|
{
|
|
errno = 0;
|
|
first_seen_ago = strtol (strlist->next->d, &tail, 0);
|
|
if (errno || *tail != '\0')
|
|
/* Abort. */
|
|
{
|
|
log_debug ("%s:%d: Cound't convert %s (first_seen) to an int: %s.\n",
|
|
__func__, __LINE__,
|
|
strlist->next->d, strerror (errno));
|
|
first_seen_ago = 0;
|
|
}
|
|
}
|
|
|
|
if (messages == -1 || first_seen_ago == 0)
|
|
log_info (_("Failed to collect signature statistics for \"%s\" (key %s)\n"),
|
|
user_id, fingerprint);
|
|
else
|
|
{
|
|
enum tofu_policy policy = get_policy (dbs, fingerprint, email, NULL);
|
|
estream_t fp;
|
|
char *msg;
|
|
|
|
fp = es_fopenmem (0, "rw,samethread");
|
|
if (! fp)
|
|
log_fatal ("error creating memory stream\n");
|
|
|
|
if (messages == 0)
|
|
es_fprintf (fp,
|
|
_("Verified 0 messages signed by \"%s\""
|
|
" (key: %s, policy %s)."),
|
|
user_id, fingerprint, tofu_policy_str (policy));
|
|
else
|
|
{
|
|
int years = 0;
|
|
int months = 0;
|
|
int days = 0;
|
|
int hours = 0;
|
|
int minutes = 0;
|
|
int seconds = 0;
|
|
|
|
/* The number of units that we've printed so far. */
|
|
int count = 0;
|
|
/* The first unit that we printed (year = 0, month = 1,
|
|
etc.). */
|
|
int first = -1;
|
|
/* The current unit. */
|
|
int i = 0;
|
|
|
|
es_fprintf (fp,
|
|
_("Verified %ld messages signed by \"%s\""
|
|
" (key: %s, policy: %s) in the past "),
|
|
messages, user_id,
|
|
fingerprint, tofu_policy_str (policy));
|
|
|
|
/* It would be nice to use a macro to do this, but gettext
|
|
works on the unpreprocessed code. */
|
|
#define MIN_SECS (60)
|
|
#define HOUR_SECS (60 * MIN_SECS)
|
|
#define DAY_SECS (24 * HOUR_SECS)
|
|
#define MONTH_SECS (30 * DAY_SECS)
|
|
#define YEAR_SECS (365 * DAY_SECS)
|
|
|
|
if (first_seen_ago > YEAR_SECS)
|
|
{
|
|
years = first_seen_ago / YEAR_SECS;
|
|
first_seen_ago -= years * YEAR_SECS;
|
|
}
|
|
if (first_seen_ago > MONTH_SECS)
|
|
{
|
|
months = first_seen_ago / MONTH_SECS;
|
|
first_seen_ago -= months * MONTH_SECS;
|
|
}
|
|
if (first_seen_ago > DAY_SECS)
|
|
{
|
|
days = first_seen_ago / DAY_SECS;
|
|
first_seen_ago -= days * DAY_SECS;
|
|
}
|
|
if (first_seen_ago > HOUR_SECS)
|
|
{
|
|
hours = first_seen_ago / HOUR_SECS;
|
|
first_seen_ago -= hours * HOUR_SECS;
|
|
}
|
|
if (first_seen_ago > MIN_SECS)
|
|
{
|
|
minutes = first_seen_ago / MIN_SECS;
|
|
first_seen_ago -= minutes * MIN_SECS;
|
|
}
|
|
seconds = first_seen_ago;
|
|
|
|
#undef MIN_SECS
|
|
#undef HOUR_SECS
|
|
#undef DAY_SECS
|
|
#undef MONTH_SECS
|
|
#undef YEAR_SECS
|
|
|
|
if (years)
|
|
{
|
|
if (years > 1)
|
|
es_fprintf (fp, _("%d years"), years);
|
|
else
|
|
es_fprintf (fp, _("%d year"), years);
|
|
count ++;
|
|
first = i;
|
|
}
|
|
i ++;
|
|
if ((first == -1 || i - first <= 3) && months)
|
|
{
|
|
if (count)
|
|
es_fprintf (fp, _(", "));
|
|
|
|
if (months > 1)
|
|
es_fprintf (fp, _("%d months"), months);
|
|
else
|
|
es_fprintf (fp, _("%d month"), months);
|
|
count ++;
|
|
first = i;
|
|
}
|
|
i ++;
|
|
if ((first == -1 || i - first <= 3) && count < 2 && days)
|
|
{
|
|
if (count)
|
|
es_fprintf (fp, _(", "));
|
|
|
|
if (days > 1)
|
|
es_fprintf (fp, _("%d days"), days);
|
|
else
|
|
es_fprintf (fp, _("%d day"), days);
|
|
count ++;
|
|
first = i;
|
|
}
|
|
i ++;
|
|
if ((first == -1 || i - first <= 3) && count < 2 && hours)
|
|
{
|
|
if (count)
|
|
es_fprintf (fp, _(", "));
|
|
|
|
if (hours > 1)
|
|
es_fprintf (fp, _("%d hours"), hours);
|
|
else
|
|
es_fprintf (fp, _("%d hour"), hours);
|
|
count ++;
|
|
first = i;
|
|
}
|
|
i ++;
|
|
if ((first == -1 || i - first <= 3) && count < 2 && minutes)
|
|
{
|
|
if (count)
|
|
es_fprintf (fp, _(", "));
|
|
|
|
if (minutes > 1)
|
|
es_fprintf (fp, _("%d minutes"), minutes);
|
|
else
|
|
es_fprintf (fp, _("%d minute"), minutes);
|
|
count ++;
|
|
first = i;
|
|
}
|
|
i ++;
|
|
if ((first == -1 || i - first <= 3) && count < 2)
|
|
{
|
|
if (count)
|
|
es_fprintf (fp, _(", "));
|
|
|
|
if (seconds > 1)
|
|
es_fprintf (fp, _("%d seconds"), seconds);
|
|
else
|
|
es_fprintf (fp, _("%d second"), seconds);
|
|
}
|
|
|
|
es_fprintf (fp, _("."));
|
|
}
|
|
|
|
es_fputc (0, fp);
|
|
if (es_fclose_snatch (fp, (void **) &msg, NULL))
|
|
log_fatal ("error snatching memory stream\n");
|
|
|
|
log_info ("%s\n", msg);
|
|
|
|
if (policy == TOFU_POLICY_AUTO && messages < 10)
|
|
{
|
|
char *set_policy_command;
|
|
const char *text;
|
|
|
|
if (messages == 0)
|
|
log_info (_("Warning: we've have yet to see a message signed by this key!\n"));
|
|
else if (messages == 1)
|
|
log_info (_("Warning: we've only seen a single message signed by this key!\n"));
|
|
|
|
set_policy_command =
|
|
xasprintf ("gpg --tofu-policy bad \"%s\"", fingerprint);
|
|
/* TRANSLATORS: translate the below text. We don't
|
|
directly internationalize that text so that we can
|
|
tweak it without breaking translations. */
|
|
text = _("TOFU: few signatures %s");
|
|
if (strcmp (text, "TOFU: few signatures %s") == 0)
|
|
text =
|
|
"Warning: if this value is unexpectedly low, this might "
|
|
"indicate that this key is a forgery! Carefully examine "
|
|
"the email address for small variations (e.g., additional "
|
|
"white space). If the key is suspect, then use '%s' to "
|
|
"mark the key as being bad.\n";
|
|
log_info (text, set_policy_command);
|
|
free (set_policy_command);
|
|
}
|
|
}
|
|
}
|
|
|
|
out:
|
|
free_strlist (strlist);
|
|
|
|
return;
|
|
}
|
|
|
|
/* Extract the email address from a user id and normalize it. If the
|
|
user id doesn't contain an email address, then we use the whole
|
|
user_id and normalize that. The returned string must be freed. */
|
|
static char *
|
|
email_from_user_id (const char *user_id)
|
|
{
|
|
char *email = mailbox_from_userid (user_id);
|
|
if (! email)
|
|
/* Hmm, no email address was provided. Just take the lower-case
|
|
version of the whole user id. It could be a hostname, for
|
|
instance. */
|
|
email = ascii_strlwr (xstrdup (user_id));
|
|
|
|
return email;
|
|
}
|
|
|
|
/* Pretty print a MAX_FINGERPRINT_LEN-byte binary fingerprint into a
|
|
malloc'd string. */
|
|
static char *
|
|
fingerprint_pp (const byte *fingerprint_bin)
|
|
{
|
|
char fingerprint[MAX_FINGERPRINT_LEN * 2 + 1];
|
|
char *fingerprint_pretty;
|
|
int space = (/* The characters and the NUL. */
|
|
sizeof (fingerprint)
|
|
/* After every fourth character, we add a space (except
|
|
the last). */
|
|
+ (sizeof (fingerprint) - 1) / 4 - 1
|
|
/* Half way through we add a second space. */
|
|
+ 1);
|
|
int i;
|
|
int j;
|
|
|
|
bin2hex (fingerprint_bin, MAX_FINGERPRINT_LEN, fingerprint);
|
|
|
|
fingerprint_pretty = xmalloc (space);
|
|
|
|
for (i = 0, j = 0; i < MAX_FINGERPRINT_LEN * 2; i ++)
|
|
{
|
|
if (i && i % 4 == 0)
|
|
fingerprint_pretty[j ++] = ' ';
|
|
if (i == MAX_FINGERPRINT_LEN * 2 / 2)
|
|
fingerprint_pretty[j ++] = ' ';
|
|
|
|
fingerprint_pretty[j ++] = fingerprint[i];
|
|
}
|
|
fingerprint_pretty[j ++] = 0;
|
|
assert (j == space);
|
|
|
|
return fingerprint_pretty;
|
|
}
|
|
|
|
/* Register the signature with the binding <FINGERPRINT_BIN, USER_ID>.
|
|
FINGERPRINT must be MAX_FINGERPRINT_LEN bytes long.
|
|
|
|
SIG_DIGEST_BIN is the binary representation of the message's
|
|
digest. SIG_DIGEST_BIN_LEN is its length.
|
|
|
|
SIG_TIME is the time that the signature was generated.
|
|
|
|
ORIGIN is a free-formed string describing the origin of the
|
|
signature. If this was from an email and the Claws MUA was used,
|
|
then this should be something like: "email:claws". If this is
|
|
NULL, the default is simply "unknown".
|
|
|
|
If MAY_ASK is 1, then this function may interact with the user.
|
|
This is necessary if there is a conflict or the binding's policy is
|
|
TOFU_POLICY_ASK.
|
|
|
|
This function returns the binding's trust level on return. If an
|
|
error occurs, this function returns TRUST_UNKNOWN. */
|
|
int
|
|
tofu_register (const byte *fingerprint_bin, const char *user_id,
|
|
const byte *sig_digest_bin, int sig_digest_bin_len,
|
|
time_t sig_time, const char *origin, int may_ask)
|
|
{
|
|
struct db *dbs;
|
|
sqlite3 *db;
|
|
char *fingerprint = NULL;
|
|
char *email = NULL;
|
|
char *err = NULL;
|
|
int rc;
|
|
int trust_level = TRUST_UNKNOWN;
|
|
char *sig_digest;
|
|
unsigned long c;
|
|
int already_verified = 0;
|
|
|
|
sig_digest = make_radix64_string (sig_digest_bin, sig_digest_bin_len);
|
|
|
|
dbs = opendbs ();
|
|
if (! dbs)
|
|
{
|
|
log_error (_("error opening TOFU DB.\n"));
|
|
goto die;
|
|
}
|
|
|
|
fingerprint = fingerprint_pp (fingerprint_bin);
|
|
|
|
if (! *user_id)
|
|
{
|
|
log_debug ("TOFU: user id is empty. Can't continue.\n");
|
|
goto die;
|
|
}
|
|
|
|
email = email_from_user_id (user_id);
|
|
|
|
if (! origin)
|
|
/* The default origin is simply "unknown". */
|
|
origin = "unknown";
|
|
|
|
/* It's necessary to get the trust so that we are certain that the
|
|
binding has been registered. */
|
|
trust_level = get_trust (dbs, fingerprint, email, user_id, may_ask);
|
|
if (trust_level == _tofu_GET_TRUST_ERROR)
|
|
/* An error. */
|
|
{
|
|
trust_level = TRUST_UNKNOWN;
|
|
goto die;
|
|
}
|
|
|
|
/* Save the observed signature in the DB. */
|
|
db = getdb (dbs, email, DB_EMAIL);
|
|
if (! db)
|
|
{
|
|
log_error (_("error opening TOFU DB.\n"));
|
|
goto die;
|
|
}
|
|
|
|
/* We do a query and then an insert. Make sure they are atomic
|
|
by wrapping them in a transaction. */
|
|
rc = sqlite3_exec (db, "begin transaction;", NULL, NULL, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error beginning transaction on TOFU database: %s\n"), err);
|
|
sqlite3_free (err);
|
|
goto die;
|
|
}
|
|
|
|
/* If we've already seen this signature before, then don't add
|
|
it again. */
|
|
rc = sqlite3_exec_printf
|
|
(db, get_single_unsigned_long_cb, &c, &err,
|
|
"select count (*)\n"
|
|
" from signatures left join bindings\n"
|
|
" on signatures.binding = bindings.oid\n"
|
|
" where fingerprint = %Q and email = %Q and sig_time = 0x%lx\n"
|
|
" and sig_digest = %Q",
|
|
fingerprint, email, (unsigned long) sig_time, sig_digest);
|
|
if (rc)
|
|
{
|
|
log_error (_("error reading from signatures database"
|
|
" (checking existence): %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
}
|
|
else if (c > 1)
|
|
/* Duplicates! This should not happen. In particular,
|
|
because <fingerprint, email, sig_time, sig_digest> is the
|
|
primary key! */
|
|
log_debug ("SIGNATURES DB contains duplicate records"
|
|
" <key: %s, %s, time: 0x%lx, sig: %s, %s>."
|
|
" Please report.\n",
|
|
fingerprint, email, (unsigned long) sig_time,
|
|
sig_digest, origin);
|
|
else if (c == 1)
|
|
{
|
|
already_verified = 1;
|
|
if (DBG_TRUST)
|
|
log_debug ("Already observed the signature"
|
|
" <key: %s, %s, time: 0x%lx, sig: %s, %s>\n",
|
|
fingerprint, email, (unsigned long) sig_time,
|
|
sig_digest, origin);
|
|
}
|
|
else
|
|
/* This is the first time that we've seen this signature.
|
|
Record it. */
|
|
{
|
|
if (DBG_TRUST)
|
|
log_debug ("TOFU: Saving signature <%s, %s, %s>\n",
|
|
fingerprint, email, sig_digest);
|
|
|
|
assert (c == 0);
|
|
|
|
rc = sqlite3_exec_printf
|
|
(db, NULL, NULL, &err,
|
|
"insert into signatures\n"
|
|
" (binding, sig_digest, origin, sig_time, time)\n"
|
|
" values\n"
|
|
" ((select oid from bindings\n"
|
|
" where fingerprint = %Q and email = %Q),\n"
|
|
" %Q, %Q, 0x%lx, strftime('%%s', 'now'));",
|
|
fingerprint, email, sig_digest, origin, (unsigned long) sig_time);
|
|
if (rc)
|
|
{
|
|
log_error (_("error updating TOFU DB"
|
|
" (inserting into signatures table): %s\n"),
|
|
err);
|
|
sqlite3_free (err);
|
|
}
|
|
}
|
|
|
|
/* It only matters whether we abort or commit the transaction
|
|
(so long as we do something) if we execute the insert. */
|
|
if (rc)
|
|
rc = sqlite3_exec (db, "rollback;", NULL, NULL, &err);
|
|
else
|
|
rc = sqlite3_exec (db, "commit transaction;", NULL, NULL, &err);
|
|
if (rc)
|
|
{
|
|
log_error (_("error ending transaction on TOFU database: %s\n"), err);
|
|
sqlite3_free (err);
|
|
goto die;
|
|
}
|
|
|
|
die:
|
|
if (may_ask)
|
|
/* It's only appropriate to show the statistics in an interactive
|
|
context. */
|
|
show_statistics (dbs, fingerprint, email, user_id,
|
|
already_verified ? NULL : sig_digest);
|
|
|
|
xfree (email);
|
|
xfree (fingerprint);
|
|
if (dbs)
|
|
closedbs (dbs);
|
|
xfree (sig_digest);
|
|
|
|
return trust_level;
|
|
}
|
|
|
|
/* Combine a trust level returned from the TOFU trust model with a
|
|
trust level returned by the PGP trust model. This is primarily of
|
|
interest when the trust model is tofu+pgp (TM_TOFU_PGP).
|
|
|
|
This function ors together the upper bits (the values not covered
|
|
by TRUST_MASK, i.e., TRUST_FLAG_REVOKED, etc.). */
|
|
int
|
|
tofu_wot_trust_combine (int tofu_base, int wot_base)
|
|
{
|
|
int tofu = tofu_base & TRUST_MASK;
|
|
int wot = wot_base & TRUST_MASK;
|
|
int upper = (tofu_base & ~TRUST_MASK) | (wot_base & ~TRUST_MASK);
|
|
|
|
assert (tofu == TRUST_UNKNOWN
|
|
|| tofu == TRUST_EXPIRED
|
|
|| tofu == TRUST_UNDEFINED
|
|
|| tofu == TRUST_NEVER
|
|
|| tofu == TRUST_MARGINAL
|
|
|| tofu == TRUST_FULLY
|
|
|| tofu == TRUST_ULTIMATE);
|
|
assert (wot == TRUST_UNKNOWN
|
|
|| wot == TRUST_EXPIRED
|
|
|| wot == TRUST_UNDEFINED
|
|
|| wot == TRUST_NEVER
|
|
|| wot == TRUST_MARGINAL
|
|
|| wot == TRUST_FULLY
|
|
|| wot == TRUST_ULTIMATE);
|
|
|
|
/* We first consider negative trust policys. These trump positive
|
|
trust policies. */
|
|
if (tofu == TRUST_NEVER || wot == TRUST_NEVER)
|
|
/* TRUST_NEVER trumps everything else. */
|
|
return upper | TRUST_NEVER;
|
|
if (tofu == TRUST_EXPIRED || wot == TRUST_EXPIRED)
|
|
/* TRUST_EXPIRED trumps everything but TRUST_NEVER. */
|
|
return upper | TRUST_EXPIRED;
|
|
|
|
/* Now we only have positive or neutral trust policies. We take
|
|
the max. */
|
|
if (tofu == TRUST_ULTIMATE || wot == TRUST_ULTIMATE)
|
|
return upper | TRUST_ULTIMATE;
|
|
if (tofu == TRUST_FULLY || wot == TRUST_FULLY)
|
|
return upper | TRUST_FULLY;
|
|
if (tofu == TRUST_MARGINAL || wot == TRUST_MARGINAL)
|
|
return upper | TRUST_MARGINAL;
|
|
if (tofu == TRUST_UNDEFINED || wot == TRUST_UNDEFINED)
|
|
return upper | TRUST_UNDEFINED;
|
|
return upper | TRUST_UNKNOWN;
|
|
}
|
|
|
|
/* Return the validity (TRUST_NEVER, etc.) of the binding
|
|
<FINGERPRINT, USER_ID>.
|
|
|
|
FINGERPRINT must be a MAX_FINGERPRINT_LEN-byte fingerprint.
|
|
|
|
If MAY_ASK is 1 and the policy is TOFU_POLICY_ASK, then the user
|
|
will be prompted to choose a different policy. If MAY_ASK is 0 and
|
|
the policy is TOFU_POLICY_ASK, then TRUST_UNKNOWN is returned.
|
|
|
|
Returns TRUST_UNDEFINED if an error occurs. */
|
|
int
|
|
tofu_get_validity (const byte *fingerprint_bin, const char *user_id,
|
|
int may_ask)
|
|
{
|
|
struct db *dbs;
|
|
char *fingerprint = NULL;
|
|
char *email = NULL;
|
|
int trust_level = TRUST_UNDEFINED;
|
|
|
|
dbs = opendbs ();
|
|
if (! dbs)
|
|
{
|
|
log_error (_("error opening TOFU DB.\n"));
|
|
goto die;
|
|
}
|
|
|
|
fingerprint = fingerprint_pp (fingerprint_bin);
|
|
|
|
if (! *user_id)
|
|
{
|
|
log_debug ("user id is empty. Can't get TOFU validity for this binding.\n");
|
|
goto die;
|
|
}
|
|
|
|
email = email_from_user_id (user_id);
|
|
|
|
trust_level = get_trust (dbs, fingerprint, email, user_id, may_ask);
|
|
if (trust_level == _tofu_GET_TRUST_ERROR)
|
|
/* An error. */
|
|
trust_level = TRUST_UNDEFINED;
|
|
|
|
if (may_ask)
|
|
show_statistics (dbs, fingerprint, email, user_id, NULL);
|
|
|
|
die:
|
|
xfree (email);
|
|
xfree (fingerprint);
|
|
if (dbs)
|
|
closedbs (dbs);
|
|
|
|
return trust_level;
|
|
}
|
|
|
|
/* Set the policy for all non-revoked user ids in the keyblock KB to
|
|
POLICY.
|
|
|
|
If no key is available with the specified key id, then this
|
|
function returns GPG_ERR_NO_PUBKEY.
|
|
|
|
Returns 0 on success and an error code otherwise. */
|
|
gpg_error_t
|
|
tofu_set_policy (kbnode_t kb, enum tofu_policy policy)
|
|
{
|
|
struct db *dbs;
|
|
PKT_public_key *pk;
|
|
char fingerprint_bin[MAX_FINGERPRINT_LEN];
|
|
size_t fingerprint_bin_len = sizeof (fingerprint_bin);
|
|
char *fingerprint = NULL;
|
|
|
|
assert (kb->pkt->pkttype == PKT_PUBLIC_KEY);
|
|
pk = kb->pkt->pkt.public_key;
|
|
|
|
dbs = opendbs ();
|
|
if (! dbs)
|
|
{
|
|
log_error (_("error opening TOFU DB.\n"));
|
|
return gpg_error (GPG_ERR_GENERAL);
|
|
}
|
|
|
|
if (DBG_TRUST)
|
|
log_debug ("Setting TOFU policy for %s to %s\n",
|
|
keystr (pk->keyid), tofu_policy_str (policy));
|
|
if (! (pk->main_keyid[0] == pk->keyid[0]
|
|
&& pk->main_keyid[1] == pk->keyid[1]))
|
|
log_bug ("%s: Passed a subkey, but expecting a primary key.\n", __func__);
|
|
|
|
fingerprint_from_pk (pk, fingerprint_bin, &fingerprint_bin_len);
|
|
assert (fingerprint_bin_len == sizeof (fingerprint_bin));
|
|
|
|
fingerprint = fingerprint_pp (fingerprint_bin);
|
|
|
|
for (; kb; kb = kb->next)
|
|
{
|
|
PKT_user_id *user_id;
|
|
char *email;
|
|
|
|
if (kb->pkt->pkttype != PKT_USER_ID)
|
|
continue;
|
|
|
|
user_id = kb->pkt->pkt.user_id;
|
|
if (user_id->is_revoked)
|
|
/* Skip revoked user ids. (Don't skip expired user ids, the
|
|
expiry can be changed.) */
|
|
continue;
|
|
|
|
email = email_from_user_id (user_id->name);
|
|
|
|
record_binding (dbs, fingerprint, email, user_id->name, policy, 1);
|
|
|
|
xfree (email);
|
|
}
|
|
|
|
xfree (fingerprint);
|
|
closedbs (dbs);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Set the TOFU policy for all non-revoked user ids in the KEY with
|
|
the key id KEYID to POLICY.
|
|
|
|
If no key is available with the specified key id, then this
|
|
function returns GPG_ERR_NO_PUBKEY.
|
|
|
|
Returns 0 on success and an error code otherwise. */
|
|
gpg_error_t
|
|
tofu_set_policy_by_keyid (u32 *keyid, enum tofu_policy policy)
|
|
{
|
|
kbnode_t keyblock = get_pubkeyblock (keyid);
|
|
if (! keyblock)
|
|
return gpg_error (GPG_ERR_NO_PUBKEY);
|
|
|
|
return tofu_set_policy (keyblock, policy);
|
|
}
|
|
|
|
/* Return the TOFU policy for the specified binding in *POLICY. If no
|
|
policy has been set for the binding, sets *POLICY to
|
|
TOFU_POLICY_NONE.
|
|
|
|
PK is a primary public key and USER_ID is a user id.
|
|
|
|
Returns 0 on success and an error code otherwise. */
|
|
gpg_error_t
|
|
tofu_get_policy (PKT_public_key *pk, PKT_user_id *user_id,
|
|
enum tofu_policy *policy)
|
|
{
|
|
struct db *dbs;
|
|
char fingerprint_bin[MAX_FINGERPRINT_LEN];
|
|
size_t fingerprint_bin_len = sizeof (fingerprint_bin);
|
|
char *fingerprint;
|
|
char *email;
|
|
|
|
/* Make sure PK is a primary key. */
|
|
assert (pk->main_keyid[0] == pk->keyid[0]
|
|
&& pk->main_keyid[1] == pk->keyid[1]);
|
|
|
|
dbs = opendbs ();
|
|
if (! dbs)
|
|
{
|
|
log_error (_("error opening TOFU DB.\n"));
|
|
return gpg_error (GPG_ERR_GENERAL);
|
|
}
|
|
|
|
fingerprint_from_pk (pk, fingerprint_bin, &fingerprint_bin_len);
|
|
assert (fingerprint_bin_len == sizeof (fingerprint_bin));
|
|
|
|
fingerprint = fingerprint_pp (fingerprint_bin);
|
|
|
|
email = email_from_user_id (user_id->name);
|
|
|
|
*policy = get_policy (dbs, fingerprint, email, NULL);
|
|
|
|
xfree (email);
|
|
xfree (fingerprint);
|
|
closedbs (dbs);
|
|
|
|
if (*policy == _tofu_GET_POLICY_ERROR)
|
|
return gpg_error (GPG_ERR_GENERAL);
|
|
return 0;
|
|
}
|