mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
04ce6765f4
-- The fprint is too uncommon in our code base and to similar to fprintf.
4041 lines
123 KiB
C
4041 lines
123 KiB
C
/* tofu.c - TOFU trust model.
|
||
* Copyright (C) 2015, 2016 g10 Code GmbH
|
||
*
|
||
* This file is part of GnuPG.
|
||
*
|
||
* GnuPG is free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 3 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* GnuPG is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* You should have received a copy of the GNU General Public License
|
||
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
||
*/
|
||
|
||
/* TODO:
|
||
|
||
- Format the fingerprints nicely when printing (similar to gpg
|
||
--list-keys)
|
||
*/
|
||
|
||
#include <config.h>
|
||
#include <stdio.h>
|
||
#include <sys/stat.h>
|
||
#include <stdarg.h>
|
||
#include <sqlite3.h>
|
||
#include <time.h>
|
||
|
||
#include "gpg.h"
|
||
#include "../common/types.h"
|
||
#include "../common/logging.h"
|
||
#include "../common/stringhelp.h"
|
||
#include "options.h"
|
||
#include "../common/mbox-util.h"
|
||
#include "../common/i18n.h"
|
||
#include "../common/ttyio.h"
|
||
#include "trustdb.h"
|
||
#include "../common/mkdir_p.h"
|
||
#include "gpgsql.h"
|
||
#include "../common/status.h"
|
||
|
||
#include "tofu.h"
|
||
|
||
|
||
#define CONTROL_L ('L' - 'A' + 1)
|
||
|
||
/* Number of days with signed / ecnrypted messages required to
|
||
* indicate that enough history is available for basic trust. */
|
||
#define BASIC_TRUST_THRESHOLD 4
|
||
/* Number of days with signed / encrypted messages required to
|
||
* indicate that a lot of history is available. */
|
||
#define FULL_TRUST_THRESHOLD 21
|
||
|
||
|
||
/* A struct with data pertaining to the tofu DB. There is one such
|
||
struct per session and it is cached in session's ctrl structure.
|
||
To initialize this or get the current singleton, call opendbs().
|
||
There is no need to explicitly release it; cleanup is done when the
|
||
CTRL object is released. */
|
||
struct tofu_dbs_s
|
||
{
|
||
sqlite3 *db;
|
||
char *want_lock_file;
|
||
time_t want_lock_file_ctime;
|
||
|
||
struct
|
||
{
|
||
sqlite3_stmt *savepoint_batch;
|
||
sqlite3_stmt *savepoint_batch_commit;
|
||
|
||
sqlite3_stmt *record_binding_get_old_policy;
|
||
sqlite3_stmt *record_binding_update;
|
||
sqlite3_stmt *get_policy_select_policy_and_conflict;
|
||
sqlite3_stmt *get_trust_bindings_with_this_email;
|
||
sqlite3_stmt *get_trust_gather_other_user_ids;
|
||
sqlite3_stmt *get_trust_gather_signature_stats;
|
||
sqlite3_stmt *get_trust_gather_encryption_stats;
|
||
sqlite3_stmt *register_already_seen;
|
||
sqlite3_stmt *register_signature;
|
||
sqlite3_stmt *register_encryption;
|
||
} s;
|
||
|
||
int in_batch_transaction;
|
||
int in_transaction;
|
||
time_t batch_update_started;
|
||
};
|
||
|
||
|
||
#define STRINGIFY(s) STRINGIFY2(s)
|
||
#define STRINGIFY2(s) #s
|
||
|
||
/* The grouping parameters when collecting signature statistics. */
|
||
|
||
/* If a message is signed a couple of hours in the future, just assume
|
||
some clock skew. */
|
||
#define TIME_AGO_FUTURE_IGNORE (2 * 60 * 60)
|
||
/* Days. */
|
||
#define TIME_AGO_UNIT_SMALL (24 * 60 * 60)
|
||
#define TIME_AGO_SMALL_THRESHOLD (7 * TIME_AGO_UNIT_SMALL)
|
||
/* Months. */
|
||
#define TIME_AGO_UNIT_MEDIUM (30 * 24 * 60 * 60)
|
||
#define TIME_AGO_MEDIUM_THRESHOLD (2 * TIME_AGO_UNIT_MEDIUM)
|
||
/* Years. */
|
||
#define TIME_AGO_UNIT_LARGE (365 * 24 * 60 * 60)
|
||
#define TIME_AGO_LARGE_THRESHOLD (2 * TIME_AGO_UNIT_LARGE)
|
||
|
||
/* Local prototypes. */
|
||
static gpg_error_t end_transaction (ctrl_t ctrl, int only_batch);
|
||
static char *email_from_user_id (const char *user_id);
|
||
static int show_statistics (tofu_dbs_t dbs,
|
||
const char *fingerprint, const char *email,
|
||
enum tofu_policy policy,
|
||
estream_t outfp, int only_status_fd, time_t now);
|
||
|
||
const char *
|
||
tofu_policy_str (enum tofu_policy policy)
|
||
{
|
||
switch (policy)
|
||
{
|
||
case TOFU_POLICY_NONE: return "none";
|
||
case TOFU_POLICY_AUTO: return "auto";
|
||
case TOFU_POLICY_GOOD: return "good";
|
||
case TOFU_POLICY_UNKNOWN: return "unknown";
|
||
case TOFU_POLICY_BAD: return "bad";
|
||
case TOFU_POLICY_ASK: return "ask";
|
||
default: return "???";
|
||
}
|
||
}
|
||
|
||
/* Convert a binding policy (e.g., TOFU_POLICY_BAD) to a trust level
|
||
(e.g., TRUST_BAD) in light of the current configuration. */
|
||
int
|
||
tofu_policy_to_trust_level (enum tofu_policy policy)
|
||
{
|
||
if (policy == TOFU_POLICY_AUTO)
|
||
/* If POLICY is AUTO, fallback to OPT.TOFU_DEFAULT_POLICY. */
|
||
policy = opt.tofu_default_policy;
|
||
|
||
switch (policy)
|
||
{
|
||
case TOFU_POLICY_AUTO:
|
||
/* If POLICY and OPT.TOFU_DEFAULT_POLICY are both AUTO, default
|
||
to marginal trust. */
|
||
return TRUST_MARGINAL;
|
||
case TOFU_POLICY_GOOD:
|
||
return TRUST_FULLY;
|
||
case TOFU_POLICY_UNKNOWN:
|
||
return TRUST_UNKNOWN;
|
||
case TOFU_POLICY_BAD:
|
||
return TRUST_NEVER;
|
||
case TOFU_POLICY_ASK:
|
||
return TRUST_UNKNOWN;
|
||
default:
|
||
log_bug ("Bad value for trust policy: %d\n",
|
||
opt.tofu_default_policy);
|
||
return 0;
|
||
}
|
||
}
|
||
|
||
|
||
|
||
/* Start a transaction on DB. If ONLY_BATCH is set, then this will
|
||
start a batch transaction if we haven't started a batch transaction
|
||
and one has been requested. */
|
||
static gpg_error_t
|
||
begin_transaction (ctrl_t ctrl, int only_batch)
|
||
{
|
||
tofu_dbs_t dbs = ctrl->tofu.dbs;
|
||
int rc;
|
||
char *err = NULL;
|
||
|
||
log_assert (dbs);
|
||
|
||
/* If we've been in batch update mode for a while (on average, more
|
||
* than 500 ms), to prevent starving other gpg processes, we drop
|
||
* and retake the batch lock.
|
||
*
|
||
* Note: gnupg_get_time has a one second resolution, if we wanted a
|
||
* higher resolution, we could use npth_clock_gettime. */
|
||
if (/* No real transactions. */
|
||
dbs->in_transaction == 0
|
||
/* There is an open batch transaction. */
|
||
&& dbs->in_batch_transaction
|
||
/* And some time has gone by since it was started. */
|
||
&& dbs->batch_update_started != gnupg_get_time ())
|
||
{
|
||
struct stat statbuf;
|
||
|
||
/* If we are in a batch update, then batch updates better have
|
||
been enabled. */
|
||
log_assert (ctrl->tofu.batch_updated_wanted);
|
||
|
||
/* Check if another process wants to run. (We just ignore any
|
||
* stat failure. A waiter might have to wait a bit longer, but
|
||
* otherwise there should be no impact.) */
|
||
if (gnupg_stat (dbs->want_lock_file, &statbuf) == 0
|
||
&& statbuf.st_ctime != dbs->want_lock_file_ctime)
|
||
{
|
||
end_transaction (ctrl, 2);
|
||
|
||
/* Yield to allow another process a chance to run. Note:
|
||
* testing suggests that anything less than a 100ms tends to
|
||
* not result in the other process getting the lock. */
|
||
gnupg_usleep (100000);
|
||
}
|
||
else
|
||
dbs->batch_update_started = gnupg_get_time ();
|
||
}
|
||
|
||
if (/* We don't have an open batch transaction. */
|
||
!dbs->in_batch_transaction
|
||
&& (/* Batch mode is enabled or we are starting a new transaction. */
|
||
ctrl->tofu.batch_updated_wanted || dbs->in_transaction == 0))
|
||
{
|
||
struct stat statbuf;
|
||
|
||
/* We are in batch mode, but we don't have an open batch
|
||
* transaction. Since the batch save point must be the outer
|
||
* save point, it must be taken before the inner save point. */
|
||
log_assert (dbs->in_transaction == 0);
|
||
|
||
rc = gpgsql_stepx (dbs->db, &dbs->s.savepoint_batch,
|
||
NULL, NULL, &err,
|
||
"begin immediate transaction;", GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
log_error (_("error beginning transaction on TOFU database: %s\n"),
|
||
err);
|
||
sqlite3_free (err);
|
||
return gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
|
||
dbs->in_batch_transaction = 1;
|
||
dbs->batch_update_started = gnupg_get_time ();
|
||
|
||
if (gnupg_stat (dbs->want_lock_file, &statbuf) == 0)
|
||
dbs->want_lock_file_ctime = statbuf.st_ctime;
|
||
}
|
||
|
||
if (only_batch)
|
||
return 0;
|
||
|
||
log_assert (dbs->in_transaction >= 0);
|
||
dbs->in_transaction ++;
|
||
|
||
rc = gpgsql_exec_printf (dbs->db, NULL, NULL, &err,
|
||
"savepoint inner%d;",
|
||
dbs->in_transaction);
|
||
if (rc)
|
||
{
|
||
log_error (_("error beginning transaction on TOFU database: %s\n"),
|
||
err);
|
||
sqlite3_free (err);
|
||
return gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
|
||
return 0;
|
||
}
|
||
|
||
|
||
/* Commit a transaction. If ONLY_BATCH is 1, then this only ends the
|
||
* batch transaction if we have left batch mode. If ONLY_BATCH is 2,
|
||
* this commits any open batch transaction even if we are still in
|
||
* batch mode. */
|
||
static gpg_error_t
|
||
end_transaction (ctrl_t ctrl, int only_batch)
|
||
{
|
||
tofu_dbs_t dbs = ctrl->tofu.dbs;
|
||
int rc;
|
||
char *err = NULL;
|
||
|
||
if (only_batch || (! only_batch && dbs->in_transaction == 1))
|
||
{
|
||
if (!dbs)
|
||
return 0; /* Shortcut to allow for easier cleanup code. */
|
||
|
||
/* If we are releasing the batch transaction, then we better not
|
||
be in a normal transaction. */
|
||
if (only_batch)
|
||
log_assert (dbs->in_transaction == 0);
|
||
|
||
if (/* Batch mode disabled? */
|
||
(!ctrl->tofu.batch_updated_wanted || only_batch == 2)
|
||
/* But, we still have an open batch transaction? */
|
||
&& dbs->in_batch_transaction)
|
||
{
|
||
/* The batch transaction is still in open, but we've left
|
||
* batch mode. */
|
||
dbs->in_batch_transaction = 0;
|
||
dbs->in_transaction = 0;
|
||
|
||
rc = gpgsql_stepx (dbs->db, &dbs->s.savepoint_batch_commit,
|
||
NULL, NULL, &err,
|
||
"commit transaction;", GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
log_error (_("error committing transaction on TOFU database: %s\n"),
|
||
err);
|
||
sqlite3_free (err);
|
||
return gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
|
||
return 0;
|
||
}
|
||
|
||
if (only_batch)
|
||
return 0;
|
||
}
|
||
|
||
log_assert (dbs);
|
||
log_assert (dbs->in_transaction > 0);
|
||
|
||
rc = gpgsql_exec_printf (dbs->db, NULL, NULL, &err,
|
||
"release inner%d;", dbs->in_transaction);
|
||
|
||
dbs->in_transaction --;
|
||
|
||
if (rc)
|
||
{
|
||
log_error (_("error committing transaction on TOFU database: %s\n"),
|
||
err);
|
||
sqlite3_free (err);
|
||
return gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
|
||
return 0;
|
||
}
|
||
|
||
|
||
static gpg_error_t
|
||
rollback_transaction (ctrl_t ctrl)
|
||
{
|
||
tofu_dbs_t dbs = ctrl->tofu.dbs;
|
||
int rc;
|
||
char *err = NULL;
|
||
|
||
log_assert (dbs);
|
||
log_assert (dbs->in_transaction > 0);
|
||
|
||
/* Be careful to not undo any progress made by closed transactions in
|
||
batch mode. */
|
||
rc = gpgsql_exec_printf (dbs->db, NULL, NULL, &err,
|
||
"rollback to inner%d;",
|
||
dbs->in_transaction);
|
||
|
||
dbs->in_transaction --;
|
||
|
||
if (rc)
|
||
{
|
||
log_error (_("error rolling back transaction on TOFU database: %s\n"),
|
||
err);
|
||
sqlite3_free (err);
|
||
return gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
|
||
return 0;
|
||
}
|
||
|
||
void
|
||
tofu_begin_batch_update (ctrl_t ctrl)
|
||
{
|
||
ctrl->tofu.batch_updated_wanted ++;
|
||
}
|
||
|
||
void
|
||
tofu_end_batch_update (ctrl_t ctrl)
|
||
{
|
||
log_assert (ctrl->tofu.batch_updated_wanted > 0);
|
||
ctrl->tofu.batch_updated_wanted --;
|
||
end_transaction (ctrl, 1);
|
||
}
|
||
|
||
/* Suspend any extant batch transaction (it is safe to call this even
|
||
no batch transaction has been started). Note: you cannot suspend a
|
||
batch transaction if you are in a normal transaction. The batch
|
||
transaction can be resumed explicitly by calling
|
||
tofu_resume_batch_transaction or implicitly by starting a normal
|
||
transaction. */
|
||
static void
|
||
tofu_suspend_batch_transaction (ctrl_t ctrl)
|
||
{
|
||
end_transaction (ctrl, 2);
|
||
}
|
||
|
||
/* Resume a batch transaction if there is no extant batch transaction
|
||
and one has been requested using tofu_begin_batch_transaction. */
|
||
static void
|
||
tofu_resume_batch_transaction (ctrl_t ctrl)
|
||
{
|
||
begin_transaction (ctrl, 1);
|
||
}
|
||
|
||
|
||
|
||
/* Wrapper around strtol which prints a warning in case of a
|
||
* conversion error. On success the converted value is stored at
|
||
* R_VALUE and 0 is returned; on error FALLBACK is stored at R_VALUE
|
||
* and an error code is returned. */
|
||
static gpg_error_t
|
||
string_to_long (long *r_value, const char *string, long fallback, int line)
|
||
{
|
||
gpg_error_t err;
|
||
char *tail = NULL;
|
||
|
||
gpg_err_set_errno (0);
|
||
*r_value = strtol (string, &tail, 0);
|
||
if (errno || !(!strcmp (tail, ".0") || !*tail))
|
||
{
|
||
err = errno? gpg_error_from_errno (errno) : gpg_error (GPG_ERR_BAD_DATA);
|
||
log_debug ("%s:%d: strtol failed for TOFU DB data; returned string"
|
||
" (string='%.10s%s'; tail='%.10s%s'): %s\n",
|
||
__FILE__, line,
|
||
string, string && strlen(string) > 10 ? "..." : "",
|
||
tail, tail && strlen(tail) > 10 ? "..." : "",
|
||
gpg_strerror (err));
|
||
*r_value = fallback;
|
||
}
|
||
else
|
||
err = 0;
|
||
|
||
return err;
|
||
}
|
||
|
||
|
||
/* Wrapper around strtoul which prints a warning in case of a
|
||
* conversion error. On success the converted value is stored at
|
||
* R_VALUE and 0 is returned; on error FALLBACK is stored at R_VALUE
|
||
* and an error code is returned. */
|
||
static gpg_error_t
|
||
string_to_ulong (unsigned long *r_value, const char *string,
|
||
unsigned long fallback, int line)
|
||
{
|
||
gpg_error_t err;
|
||
char *tail = NULL;
|
||
|
||
gpg_err_set_errno (0);
|
||
*r_value = strtoul (string, &tail, 0);
|
||
if (errno || !(!strcmp (tail, ".0") || !*tail))
|
||
{
|
||
err = errno? gpg_error_from_errno (errno) : gpg_error (GPG_ERR_BAD_DATA);
|
||
log_debug ("%s:%d: strtoul failed for TOFU DB data; returned string"
|
||
" (string='%.10s%s'; tail='%.10s%s'): %s\n",
|
||
__FILE__, line,
|
||
string, string && strlen(string) > 10 ? "..." : "",
|
||
tail, tail && strlen(tail) > 10 ? "..." : "",
|
||
gpg_strerror (err));
|
||
*r_value = fallback;
|
||
}
|
||
else
|
||
err = 0;
|
||
|
||
return err;
|
||
}
|
||
|
||
|
||
|
||
/* Collect results of a select count (*) ...; style query. Aborts if
|
||
the argument is not a valid integer (or real of the form X.0). */
|
||
static int
|
||
get_single_unsigned_long_cb (void *cookie, int argc, char **argv,
|
||
char **azColName)
|
||
{
|
||
unsigned long int *count = cookie;
|
||
|
||
(void) azColName;
|
||
|
||
log_assert (argc == 1);
|
||
|
||
if (string_to_ulong (count, argv[0], 0, __LINE__))
|
||
return 1; /* Abort. */
|
||
return 0;
|
||
}
|
||
|
||
static int
|
||
get_single_unsigned_long_cb2 (void *cookie, int argc, char **argv,
|
||
char **azColName, sqlite3_stmt *stmt)
|
||
{
|
||
(void) stmt;
|
||
return get_single_unsigned_long_cb (cookie, argc, argv, azColName);
|
||
}
|
||
|
||
/* We expect a single integer column whose name is "version". COOKIE
|
||
must point to an int. This function always aborts. On error or a
|
||
if the version is bad, sets *VERSION to -1. */
|
||
static int
|
||
version_check_cb (void *cookie, int argc, char **argv, char **azColName)
|
||
{
|
||
int *version = cookie;
|
||
|
||
if (argc != 1 || strcmp (azColName[0], "version") != 0)
|
||
{
|
||
*version = -1;
|
||
return 1;
|
||
}
|
||
|
||
if (strcmp (argv[0], "1") == 0)
|
||
*version = 1;
|
||
else
|
||
{
|
||
log_error (_("unsupported TOFU database version: %s\n"), argv[0]);
|
||
*version = -1;
|
||
}
|
||
|
||
/* Don't run again. */
|
||
return 1;
|
||
}
|
||
|
||
static int
|
||
check_utks (sqlite3 *db)
|
||
{
|
||
int rc;
|
||
char *err = NULL;
|
||
struct key_item *utks;
|
||
struct key_item *ki;
|
||
int utk_count;
|
||
char *utks_string = NULL;
|
||
char keyid_str[16+1];
|
||
long utks_unchanged = 0;
|
||
|
||
/* An early version of the v1 format did not include the list of
|
||
* known ultimately trusted keys.
|
||
*
|
||
* This list is used to detect when the set of ultimately trusted
|
||
* keys changes. We need to detect this to invalidate the effective
|
||
* policy, which can change if an ultimately trusted key is added or
|
||
* removed. */
|
||
rc = sqlite3_exec (db,
|
||
"create table if not exists ultimately_trusted_keys"
|
||
" (keyid);\n",
|
||
NULL, NULL, &err);
|
||
if (rc)
|
||
{
|
||
log_error ("error creating 'ultimately_trusted_keys' TOFU table: %s\n",
|
||
err);
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
|
||
|
||
utks = tdb_utks ();
|
||
for (ki = utks, utk_count = 0; ki; ki = ki->next, utk_count ++)
|
||
;
|
||
|
||
if (utk_count)
|
||
{
|
||
/* Build a list of keyids of the form "XXX","YYY","ZZZ". */
|
||
int len = (1 + 16 + 1 + 1) * utk_count;
|
||
int o = 0;
|
||
|
||
utks_string = xmalloc (len);
|
||
*utks_string = 0;
|
||
for (ki = utks, utk_count = 0; ki; ki = ki->next, utk_count ++)
|
||
{
|
||
utks_string[o ++] = '\'';
|
||
format_keyid (ki->kid, KF_LONG,
|
||
keyid_str, sizeof (keyid_str));
|
||
memcpy (&utks_string[o], keyid_str, 16);
|
||
o += 16;
|
||
utks_string[o ++] = '\'';
|
||
utks_string[o ++] = ',';
|
||
}
|
||
utks_string[o - 1] = 0;
|
||
log_assert (o == len);
|
||
}
|
||
|
||
rc = gpgsql_exec_printf
|
||
(db, get_single_unsigned_long_cb, &utks_unchanged, &err,
|
||
"select"
|
||
/* Removed UTKs? (Known UTKs in current UTKs.) */
|
||
" ((select count(*) from ultimately_trusted_keys"
|
||
" where (keyid in (%s))) == %d)"
|
||
" and"
|
||
/* New UTKs? */
|
||
" ((select count(*) from ultimately_trusted_keys"
|
||
" where keyid not in (%s)) == 0);",
|
||
utks_string ? utks_string : "",
|
||
utk_count,
|
||
utks_string ? utks_string : "");
|
||
xfree (utks_string);
|
||
if (rc)
|
||
{
|
||
log_error (_("TOFU DB error"));
|
||
print_further_info ("checking if ultimately trusted keys changed: %s",
|
||
err);
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
|
||
if (utks_unchanged)
|
||
goto out;
|
||
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: ultimately trusted keys changed.\n");
|
||
|
||
/* Given that the set of ultimately trusted keys
|
||
* changed, clear any cached policies. */
|
||
rc = gpgsql_exec_printf
|
||
(db, NULL, NULL, &err,
|
||
"update bindings set effective_policy = %d;",
|
||
TOFU_POLICY_NONE);
|
||
if (rc)
|
||
{
|
||
log_error (_("TOFU DB error"));
|
||
print_further_info ("clearing cached policies: %s", err);
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
|
||
/* Now, update the UTK table. */
|
||
rc = sqlite3_exec (db,
|
||
"drop table ultimately_trusted_keys;",
|
||
NULL, NULL, &err);
|
||
if (rc)
|
||
{
|
||
log_error (_("TOFU DB error"));
|
||
print_further_info ("dropping ultimately_trusted_keys: %s", err);
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
|
||
rc = sqlite3_exec (db,
|
||
"create table if not exists"
|
||
" ultimately_trusted_keys (keyid);\n",
|
||
NULL, NULL, &err);
|
||
if (rc)
|
||
{
|
||
log_error (_("TOFU DB error"));
|
||
print_further_info ("creating ultimately_trusted_keys: %s", err);
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
|
||
for (ki = utks; ki; ki = ki->next)
|
||
{
|
||
format_keyid (ki->kid, KF_LONG,
|
||
keyid_str, sizeof (keyid_str));
|
||
rc = gpgsql_exec_printf
|
||
(db, NULL, NULL, &err,
|
||
"insert into ultimately_trusted_keys values ('%s');",
|
||
keyid_str);
|
||
if (rc)
|
||
{
|
||
log_error (_("TOFU DB error"));
|
||
print_further_info ("updating ultimately_trusted_keys: %s",
|
||
err);
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
}
|
||
|
||
out:
|
||
return rc;
|
||
}
|
||
|
||
/* If the DB is new, initialize it. Otherwise, check the DB's
|
||
version.
|
||
|
||
Return 0 if the database is okay and 1 otherwise. */
|
||
static int
|
||
initdb (sqlite3 *db)
|
||
{
|
||
char *err = NULL;
|
||
int rc;
|
||
unsigned long int count;
|
||
int version = -1;
|
||
|
||
rc = sqlite3_exec (db, "begin transaction;", NULL, NULL, &err);
|
||
if (rc)
|
||
{
|
||
log_error (_("error beginning transaction on TOFU database: %s\n"),
|
||
err);
|
||
sqlite3_free (err);
|
||
return 1;
|
||
}
|
||
|
||
/* If the DB has no tables, then assume this is a new DB that needs
|
||
to be initialized. */
|
||
rc = sqlite3_exec (db,
|
||
"select count(*) from sqlite_master where type='table';",
|
||
get_single_unsigned_long_cb, &count, &err);
|
||
if (rc)
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"), err);
|
||
print_further_info ("query available tables");
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
else if (count != 0)
|
||
/* Assume that the DB is already initialized. Make sure the
|
||
version is okay. */
|
||
{
|
||
rc = sqlite3_exec (db, "select version from version;", version_check_cb,
|
||
&version, &err);
|
||
if (rc == SQLITE_ABORT && version == 1)
|
||
/* Happy, happy, joy, joy. */
|
||
{
|
||
sqlite3_free (err);
|
||
rc = 0;
|
||
goto out;
|
||
}
|
||
else if (rc == SQLITE_ABORT && version == -1)
|
||
/* Unsupported version. */
|
||
{
|
||
/* An error message was already displayed. */
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
else if (rc)
|
||
/* Some error. */
|
||
{
|
||
log_error (_("error determining TOFU database's version: %s\n"), err);
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
else
|
||
{
|
||
/* Unexpected success. This can only happen if there are no
|
||
rows. (select returned 0, but expected ABORT.) */
|
||
log_error (_("error determining TOFU database's version: %s\n"),
|
||
gpg_strerror (GPG_ERR_NO_DATA));
|
||
rc = 1;
|
||
goto out;
|
||
}
|
||
}
|
||
|
||
/* Create the version table. */
|
||
rc = sqlite3_exec (db,
|
||
"create table version (version INTEGER);",
|
||
NULL, NULL, &err);
|
||
if (rc)
|
||
{
|
||
log_error (_("error initializing TOFU database: %s\n"), err);
|
||
print_further_info ("create version");
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
|
||
/* Initialize the version table, which contains a single integer
|
||
value. */
|
||
rc = sqlite3_exec (db,
|
||
"insert into version values (1);",
|
||
NULL, NULL, &err);
|
||
if (rc)
|
||
{
|
||
log_error (_("error initializing TOFU database: %s\n"), err);
|
||
print_further_info ("insert version");
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
|
||
/* The list of <fingerprint, email> bindings and auxiliary data.
|
||
*
|
||
* OID is a unique ID identifying this binding (and used by the
|
||
* signatures table, see below). Note: OIDs will never be
|
||
* reused.
|
||
*
|
||
* FINGERPRINT: The key's fingerprint.
|
||
*
|
||
* EMAIL: The normalized email address.
|
||
*
|
||
* USER_ID: The unmodified user id from which EMAIL was extracted.
|
||
*
|
||
* TIME: The time this binding was first observed.
|
||
*
|
||
* POLICY: The trust policy (TOFU_POLICY_BAD, etc. as an integer).
|
||
*
|
||
* CONFLICT is either NULL or a fingerprint. Assume that we have
|
||
* a binding <0xdeadbeef, foo@example.com> and then we observe
|
||
* <0xbaddecaf, foo@example.com>. There two bindings conflict
|
||
* (they have the same email address). When we observe the
|
||
* latter binding, we warn the user about the conflict and ask
|
||
* for a policy decision about the new binding. We also change
|
||
* the old binding's policy to ask if it was auto. So that we
|
||
* know why this occurred, we also set conflict to 0xbaddecaf.
|
||
*/
|
||
rc = gpgsql_exec_printf
|
||
(db, NULL, NULL, &err,
|
||
"create table bindings\n"
|
||
" (oid INTEGER PRIMARY KEY AUTOINCREMENT,\n"
|
||
" fingerprint TEXT, email TEXT, user_id TEXT, time INTEGER,\n"
|
||
" policy INTEGER CHECK (policy in (%d, %d, %d, %d, %d)),\n"
|
||
" conflict STRING,\n"
|
||
" unique (fingerprint, email));\n"
|
||
"create index bindings_fingerprint_email\n"
|
||
" on bindings (fingerprint, email);\n"
|
||
"create index bindings_email on bindings (email);\n",
|
||
TOFU_POLICY_AUTO, TOFU_POLICY_GOOD, TOFU_POLICY_UNKNOWN,
|
||
TOFU_POLICY_BAD, TOFU_POLICY_ASK);
|
||
if (rc)
|
||
{
|
||
log_error (_("error initializing TOFU database: %s\n"), err);
|
||
print_further_info ("create bindings");
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
|
||
/* The signatures that we have observed.
|
||
*
|
||
* BINDING refers to a record in the bindings table, which
|
||
* describes the binding (i.e., this is a foreign key that
|
||
* references bindings.oid).
|
||
*
|
||
* SIG_DIGEST is the digest stored in the signature.
|
||
*
|
||
* SIG_TIME is the timestamp stored in the signature.
|
||
*
|
||
* ORIGIN is a free-form string that describes who fed this
|
||
* signature to GnuPG (e.g., email:claws).
|
||
*
|
||
* TIME is the time this signature was registered. */
|
||
rc = sqlite3_exec (db,
|
||
"create table signatures "
|
||
" (binding INTEGER NOT NULL, sig_digest TEXT,"
|
||
" origin TEXT, sig_time INTEGER, time INTEGER,"
|
||
" primary key (binding, sig_digest, origin));",
|
||
NULL, NULL, &err);
|
||
if (rc)
|
||
{
|
||
log_error (_("error initializing TOFU database: %s\n"), err);
|
||
print_further_info ("create signatures");
|
||
sqlite3_free (err);
|
||
goto out;
|
||
}
|
||
|
||
out:
|
||
if (! rc)
|
||
{
|
||
/* Early version of the v1 format did not include the encryption
|
||
table. Add it. */
|
||
rc = sqlite3_exec (db,
|
||
"create table if not exists encryptions"
|
||
" (binding INTEGER NOT NULL,"
|
||
" time INTEGER);"
|
||
"create index if not exists encryptions_binding"
|
||
" on encryptions (binding);\n",
|
||
NULL, NULL, &err);
|
||
if (rc)
|
||
{
|
||
log_error ("error creating 'encryptions' TOFU table: %s\n",
|
||
err);
|
||
sqlite3_free (err);
|
||
}
|
||
}
|
||
if (! rc)
|
||
{
|
||
/* The effective policy for a binding. If a key is ultimately
|
||
* trusted, then the effective policy of all of its bindings is
|
||
* good. Likewise if a key is signed by an ultimately trusted
|
||
* key, etc. If the effective policy is NONE, then we need to
|
||
* recompute the effective policy. Otherwise, the effective
|
||
* policy is considered to be up to date, i.e., effective_policy
|
||
* is a cache of the computed policy. */
|
||
rc = gpgsql_exec_printf
|
||
(db, NULL, NULL, &err,
|
||
"alter table bindings"
|
||
" add column effective_policy INTEGER"
|
||
" DEFAULT %d"
|
||
" CHECK (effective_policy in (%d, %d, %d, %d, %d, %d));",
|
||
TOFU_POLICY_NONE,
|
||
TOFU_POLICY_NONE, TOFU_POLICY_AUTO, TOFU_POLICY_GOOD,
|
||
TOFU_POLICY_UNKNOWN, TOFU_POLICY_BAD, TOFU_POLICY_ASK);
|
||
if (rc)
|
||
{
|
||
if (rc == SQLITE_ERROR)
|
||
/* Almost certainly "duplicate column name", which we can
|
||
* safely ignore. */
|
||
rc = 0;
|
||
else
|
||
log_error ("adding column effective_policy to bindings DB: %s\n",
|
||
err);
|
||
sqlite3_free (err);
|
||
}
|
||
}
|
||
|
||
if (! rc)
|
||
rc = check_utks (db);
|
||
|
||
if (rc)
|
||
{
|
||
rc = sqlite3_exec (db, "rollback;", NULL, NULL, &err);
|
||
if (rc)
|
||
{
|
||
log_error (_("error rolling back transaction on TOFU database: %s\n"),
|
||
err);
|
||
sqlite3_free (err);
|
||
}
|
||
return 1;
|
||
}
|
||
else
|
||
{
|
||
rc = sqlite3_exec (db, "end transaction;", NULL, NULL, &err);
|
||
if (rc)
|
||
{
|
||
log_error (_("error committing transaction on TOFU database: %s\n"),
|
||
err);
|
||
sqlite3_free (err);
|
||
return 1;
|
||
}
|
||
return 0;
|
||
}
|
||
}
|
||
|
||
static int
|
||
busy_handler (void *cookie, int call_count)
|
||
{
|
||
ctrl_t ctrl = cookie;
|
||
tofu_dbs_t dbs = ctrl->tofu.dbs;
|
||
|
||
(void) call_count;
|
||
|
||
/* Update the want-lock-file time stamp (specifically, the ctime) so
|
||
* that the current owner knows that we (well, someone) want the
|
||
* lock. */
|
||
if (dbs)
|
||
{
|
||
/* Note: we don't fail if we can't create the lock file: this
|
||
* process will have to wait a bit longer, but otherwise nothing
|
||
* horrible should happen. */
|
||
|
||
estream_t fp;
|
||
|
||
fp = es_fopen (dbs->want_lock_file, "w");
|
||
if (! fp)
|
||
log_debug ("TOFU: Error opening '%s': %s\n",
|
||
dbs->want_lock_file, strerror (errno));
|
||
else
|
||
es_fclose (fp);
|
||
}
|
||
|
||
/* Call again. */
|
||
return 1;
|
||
}
|
||
|
||
/* Create a new DB handle. Returns NULL on error. */
|
||
/* FIXME: Change to return an error code for better reporting by the
|
||
caller. */
|
||
static tofu_dbs_t
|
||
opendbs (ctrl_t ctrl)
|
||
{
|
||
char *filename;
|
||
sqlite3 *db;
|
||
int rc;
|
||
|
||
if (!ctrl->tofu.dbs)
|
||
{
|
||
filename = make_filename (gnupg_homedir (), "tofu.db", NULL);
|
||
|
||
rc = sqlite3_open (filename, &db);
|
||
if (rc)
|
||
{
|
||
log_error (_("error opening TOFU database '%s': %s\n"),
|
||
filename, sqlite3_errmsg (db));
|
||
/* Even if an error occurs, DB is guaranteed to be valid. */
|
||
sqlite3_close (db);
|
||
db = NULL;
|
||
}
|
||
|
||
/* If a DB is locked wait up to 5 seconds for the lock to be cleared
|
||
before failing. */
|
||
if (db)
|
||
{
|
||
sqlite3_busy_timeout (db, 5 * 1000);
|
||
sqlite3_busy_handler (db, busy_handler, ctrl);
|
||
}
|
||
|
||
if (db && initdb (db))
|
||
{
|
||
sqlite3_close (db);
|
||
db = NULL;
|
||
}
|
||
|
||
if (db)
|
||
{
|
||
ctrl->tofu.dbs = xmalloc_clear (sizeof *ctrl->tofu.dbs);
|
||
ctrl->tofu.dbs->db = db;
|
||
ctrl->tofu.dbs->want_lock_file = xasprintf ("%s-want-lock", filename);
|
||
}
|
||
|
||
xfree (filename);
|
||
}
|
||
else
|
||
log_assert (ctrl->tofu.dbs->db);
|
||
|
||
return ctrl->tofu.dbs;
|
||
}
|
||
|
||
|
||
/* Release all of the resources associated with the DB handle. */
|
||
void
|
||
tofu_closedbs (ctrl_t ctrl)
|
||
{
|
||
tofu_dbs_t dbs;
|
||
sqlite3_stmt **statements;
|
||
|
||
dbs = ctrl->tofu.dbs;
|
||
if (!dbs)
|
||
return; /* Not initialized. */
|
||
|
||
log_assert (dbs->in_transaction == 0);
|
||
|
||
end_transaction (ctrl, 2);
|
||
|
||
/* Arghh, that is a surprising use of the struct. */
|
||
for (statements = (void *) &dbs->s;
|
||
(void *) statements < (void *) &(&dbs->s)[1];
|
||
statements ++)
|
||
sqlite3_finalize (*statements);
|
||
|
||
sqlite3_close (dbs->db);
|
||
xfree (dbs->want_lock_file);
|
||
xfree (dbs);
|
||
ctrl->tofu.dbs = NULL;
|
||
}
|
||
|
||
|
||
/* Collect results of a select min (foo) ...; style query. Aborts if
|
||
the argument is not a valid integer (or real of the form X.0). */
|
||
static int
|
||
get_single_long_cb (void *cookie, int argc, char **argv, char **azColName)
|
||
{
|
||
long *count = cookie;
|
||
|
||
(void) azColName;
|
||
|
||
log_assert (argc == 1);
|
||
|
||
if (string_to_long (count, argv[0], 0, __LINE__))
|
||
return 1; /* Abort. */
|
||
|
||
return 0;
|
||
}
|
||
|
||
static int
|
||
get_single_long_cb2 (void *cookie, int argc, char **argv, char **azColName,
|
||
sqlite3_stmt *stmt)
|
||
{
|
||
(void) stmt;
|
||
return get_single_long_cb (cookie, argc, argv, azColName);
|
||
}
|
||
|
||
/* Record (or update) a trust policy about a (possibly new)
|
||
binding.
|
||
|
||
If SHOW_OLD is set, the binding's old policy is displayed. */
|
||
static gpg_error_t
|
||
record_binding (tofu_dbs_t dbs, const char *fingerprint, const char *email,
|
||
const char *user_id,
|
||
enum tofu_policy policy, enum tofu_policy effective_policy,
|
||
const char *conflict, int set_conflict,
|
||
int show_old, time_t now)
|
||
{
|
||
char *fingerprint_pp = format_hexfingerprint (fingerprint, NULL, 0);
|
||
gpg_error_t rc;
|
||
char *err = NULL;
|
||
|
||
if (! (policy == TOFU_POLICY_AUTO
|
||
|| policy == TOFU_POLICY_GOOD
|
||
|| policy == TOFU_POLICY_UNKNOWN
|
||
|| policy == TOFU_POLICY_BAD
|
||
|| policy == TOFU_POLICY_ASK))
|
||
log_bug ("%s: Bad value for policy (%d)!\n", __func__, policy);
|
||
|
||
|
||
if (DBG_TRUST || show_old)
|
||
{
|
||
/* Get the old policy. Since this is just for informational
|
||
* purposes, there is no need to start a transaction or to die
|
||
* if there is a failure. */
|
||
|
||
/* policy_old needs to be a long and not an enum tofu_policy,
|
||
because we pass it by reference to get_single_long_cb2, which
|
||
expects a long. */
|
||
long policy_old = TOFU_POLICY_NONE;
|
||
|
||
rc = gpgsql_stepx
|
||
(dbs->db, &dbs->s.record_binding_get_old_policy,
|
||
get_single_long_cb2, &policy_old, &err,
|
||
"select policy from bindings where fingerprint = ? and email = ?",
|
||
GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
|
||
GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
log_debug ("TOFU: Error reading from binding database"
|
||
" (reading policy for <key: %s, user id: %s>): %s\n",
|
||
fingerprint, email, err);
|
||
sqlite3_free (err);
|
||
}
|
||
|
||
if (policy_old != TOFU_POLICY_NONE)
|
||
(show_old ? log_info : log_debug)
|
||
("Changing TOFU trust policy for binding"
|
||
" <key: %s, user id: %s> from %s to %s.\n",
|
||
fingerprint, show_old ? user_id : email,
|
||
tofu_policy_str (policy_old),
|
||
tofu_policy_str (policy));
|
||
else
|
||
(show_old ? log_info : log_debug)
|
||
("Setting TOFU trust policy for new binding"
|
||
" <key: %s, user id: %s> to %s.\n",
|
||
fingerprint, show_old ? user_id : email,
|
||
tofu_policy_str (policy));
|
||
}
|
||
|
||
if (opt.dry_run)
|
||
{
|
||
log_info ("TOFU database update skipped due to --dry-run\n");
|
||
rc = 0;
|
||
goto leave;
|
||
}
|
||
|
||
rc = gpgsql_stepx
|
||
(dbs->db, &dbs->s.record_binding_update, NULL, NULL, &err,
|
||
"insert or replace into bindings\n"
|
||
" (oid, fingerprint, email, user_id, time,"
|
||
" policy, conflict, effective_policy)\n"
|
||
" values (\n"
|
||
/* If we don't explicitly reuse the OID, then SQLite will
|
||
* reallocate a new one. We just need to search for the OID
|
||
* based on the fingerprint and email since they are unique. */
|
||
" (select oid from bindings where fingerprint = ? and email = ?),\n"
|
||
" ?, ?, ?, ?, ?,"
|
||
/* If SET_CONFLICT is 0, then preserve conflict's current value. */
|
||
" case ?"
|
||
" when 0 then"
|
||
" (select conflict from bindings where fingerprint = ? and email = ?)"
|
||
" else ?"
|
||
" end,"
|
||
" ?);",
|
||
/* oid subquery. */
|
||
GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
|
||
/* values 2 through 6. */
|
||
GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
|
||
GPGSQL_ARG_STRING, user_id,
|
||
GPGSQL_ARG_LONG_LONG, (long long) now,
|
||
GPGSQL_ARG_INT, (int) policy,
|
||
/* conflict subquery. */
|
||
GPGSQL_ARG_INT, set_conflict ? 1 : 0,
|
||
GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
|
||
GPGSQL_ARG_STRING, conflict ? conflict : "",
|
||
GPGSQL_ARG_INT, (int) effective_policy,
|
||
GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
log_error (_("error updating TOFU database: %s\n"), err);
|
||
print_further_info (" insert bindings <key: %s, user id: %s> = %s",
|
||
fingerprint, email, tofu_policy_str (policy));
|
||
sqlite3_free (err);
|
||
goto leave;
|
||
}
|
||
|
||
leave:
|
||
xfree (fingerprint_pp);
|
||
return rc;
|
||
}
|
||
|
||
|
||
/* Collect the strings returned by a query in a simple string list.
|
||
Any NULL values are converted to the empty string.
|
||
|
||
If a result has 3 rows and each row contains two columns, then the
|
||
results are added to the list as follows (the value is parentheses
|
||
is the 1-based index in the final list):
|
||
|
||
row 1, col 2 (6)
|
||
row 1, col 1 (5)
|
||
row 2, col 2 (4)
|
||
row 2, col 1 (3)
|
||
row 3, col 2 (2)
|
||
row 3, col 1 (1)
|
||
|
||
This is because add_to_strlist pushes the results onto the front of
|
||
the list. The end result is that the rows are backwards, but the
|
||
columns are in the expected order. */
|
||
static int
|
||
strings_collect_cb (void *cookie, int argc, char **argv, char **azColName)
|
||
{
|
||
int i;
|
||
strlist_t *strlist = cookie;
|
||
|
||
(void) azColName;
|
||
|
||
for (i = argc - 1; i >= 0; i --)
|
||
add_to_strlist (strlist, argv[i] ? argv[i] : "");
|
||
|
||
return 0;
|
||
}
|
||
|
||
static int
|
||
strings_collect_cb2 (void *cookie, int argc, char **argv, char **azColName,
|
||
sqlite3_stmt *stmt)
|
||
{
|
||
(void) stmt;
|
||
return strings_collect_cb (cookie, argc, argv, azColName);
|
||
|
||
}
|
||
|
||
/* Auxiliary data structure to collect statistics about
|
||
signatures. */
|
||
struct signature_stats
|
||
{
|
||
struct signature_stats *next;
|
||
|
||
/* The user-assigned policy for this binding. */
|
||
enum tofu_policy policy;
|
||
|
||
/* How long ago the signature was created (rounded to a multiple of
|
||
TIME_AGO_UNIT_SMALL, etc.). */
|
||
long time_ago;
|
||
/* Number of signatures during this time. */
|
||
unsigned long count;
|
||
|
||
/* If the corresponding key/user id has been expired / revoked. */
|
||
int is_expired;
|
||
int is_revoked;
|
||
|
||
/* The key that generated this signature. */
|
||
char fingerprint[1];
|
||
};
|
||
|
||
static void
|
||
signature_stats_free (struct signature_stats *stats)
|
||
{
|
||
while (stats)
|
||
{
|
||
struct signature_stats *next = stats->next;
|
||
xfree (stats);
|
||
stats = next;
|
||
}
|
||
}
|
||
|
||
static void
|
||
signature_stats_prepend (struct signature_stats **statsp,
|
||
const char *fingerprint,
|
||
enum tofu_policy policy,
|
||
long time_ago,
|
||
unsigned long count)
|
||
{
|
||
struct signature_stats *stats =
|
||
xmalloc_clear (sizeof (*stats) + strlen (fingerprint));
|
||
|
||
stats->next = *statsp;
|
||
*statsp = stats;
|
||
|
||
strcpy (stats->fingerprint, fingerprint);
|
||
stats->policy = policy;
|
||
stats->time_ago = time_ago;
|
||
stats->count = count;
|
||
}
|
||
|
||
|
||
/* Process rows that contain the four columns:
|
||
|
||
<fingerprint, policy, time ago, count>. */
|
||
static int
|
||
signature_stats_collect_cb (void *cookie, int argc, char **argv,
|
||
char **azColName, sqlite3_stmt *stmt)
|
||
{
|
||
struct signature_stats **statsp = cookie;
|
||
int i = 0;
|
||
enum tofu_policy policy;
|
||
long time_ago;
|
||
unsigned long count;
|
||
long along;
|
||
|
||
(void) azColName;
|
||
(void) stmt;
|
||
|
||
i ++;
|
||
|
||
if (string_to_long (&along, argv[i], 0, __LINE__))
|
||
return 1; /* Abort */
|
||
policy = along;
|
||
i ++;
|
||
|
||
if (! argv[i])
|
||
time_ago = 0;
|
||
else
|
||
{
|
||
if (string_to_long (&time_ago, argv[i], 0, __LINE__))
|
||
return 1; /* Abort. */
|
||
}
|
||
i ++;
|
||
|
||
/* If time_ago is NULL, then we had no messages, but we still have a
|
||
single row, which count(*) turns into 1. */
|
||
if (! argv[i - 1])
|
||
count = 0;
|
||
else
|
||
{
|
||
if (string_to_ulong (&count, argv[i], 0, __LINE__))
|
||
return 1; /* Abort */
|
||
}
|
||
i ++;
|
||
|
||
log_assert (argc == i);
|
||
|
||
signature_stats_prepend (statsp, argv[0], policy, time_ago, count);
|
||
|
||
return 0;
|
||
}
|
||
|
||
/* Format the first part of a conflict message and return that as a
|
||
* malloced string. Returns NULL on error. */
|
||
static char *
|
||
format_conflict_msg_part1 (int policy, strlist_t conflict_set,
|
||
const char *email)
|
||
{
|
||
estream_t fp;
|
||
char *fingerprint;
|
||
char *tmpstr, *text;
|
||
|
||
log_assert (conflict_set);
|
||
fingerprint = conflict_set->d;
|
||
|
||
fp = es_fopenmem (0, "rw,samethread");
|
||
if (!fp)
|
||
log_fatal ("error creating memory stream: %s\n",
|
||
gpg_strerror (gpg_error_from_syserror()));
|
||
|
||
if (policy == TOFU_POLICY_NONE)
|
||
{
|
||
es_fprintf (fp,
|
||
_("This is the first time the email address \"%s\" is "
|
||
"being used with key %s."),
|
||
email, fingerprint);
|
||
es_fputs (" ", fp);
|
||
}
|
||
else if (policy == TOFU_POLICY_ASK && conflict_set->next)
|
||
{
|
||
int conflicts = strlist_length (conflict_set);
|
||
es_fprintf
|
||
(fp, ngettext("The email address \"%s\" is associated with %d key!",
|
||
"The email address \"%s\" is associated with %d keys!",
|
||
conflicts),
|
||
email, conflicts);
|
||
if (opt.verbose)
|
||
es_fprintf (fp,
|
||
_(" Since this binding's policy was 'auto', it has been "
|
||
"changed to 'ask'."));
|
||
es_fputs (" ", fp);
|
||
}
|
||
|
||
es_fprintf (fp,
|
||
_("Please indicate whether this email address should"
|
||
" be associated with key %s or whether you think someone"
|
||
" is impersonating \"%s\"."),
|
||
fingerprint, email);
|
||
es_fputc ('\n', fp);
|
||
|
||
es_fputc (0, fp);
|
||
if (es_fclose_snatch (fp, (void **)&tmpstr, NULL))
|
||
log_fatal ("error snatching memory stream\n");
|
||
text = format_text (tmpstr, 72, 80);
|
||
es_free (tmpstr);
|
||
|
||
return text;
|
||
}
|
||
|
||
|
||
/* Return 1 if A signed B and B signed A. */
|
||
static int
|
||
cross_sigs (const char *email, kbnode_t a, kbnode_t b)
|
||
{
|
||
int i;
|
||
|
||
PKT_public_key *a_pk = a->pkt->pkt.public_key;
|
||
PKT_public_key *b_pk = b->pkt->pkt.public_key;
|
||
|
||
char a_keyid[33];
|
||
char b_keyid[33];
|
||
|
||
if (DBG_TRUST)
|
||
{
|
||
format_keyid (pk_main_keyid (a_pk),
|
||
KF_LONG, a_keyid, sizeof (a_keyid));
|
||
format_keyid (pk_main_keyid (b_pk),
|
||
KF_LONG, b_keyid, sizeof (b_keyid));
|
||
}
|
||
|
||
for (i = 0; i < 2; i ++)
|
||
{
|
||
/* See if SIGNER signed SIGNEE. */
|
||
|
||
kbnode_t signer = i == 0 ? a : b;
|
||
kbnode_t signee = i == 0 ? b : a;
|
||
|
||
PKT_public_key *signer_pk = signer->pkt->pkt.public_key;
|
||
u32 *signer_kid = pk_main_keyid (signer_pk);
|
||
kbnode_t n;
|
||
|
||
int saw_email = 0;
|
||
|
||
/* Iterate over SIGNEE's keyblock and see if there is a valid
|
||
signature from SIGNER. */
|
||
for (n = signee; n; n = n->next)
|
||
{
|
||
PKT_signature *sig;
|
||
|
||
if (n->pkt->pkttype == PKT_USER_ID)
|
||
{
|
||
if (saw_email)
|
||
/* We're done: we've processed all signatures on the
|
||
user id. */
|
||
break;
|
||
else
|
||
{
|
||
/* See if this is the matching user id. */
|
||
PKT_user_id *user_id = n->pkt->pkt.user_id;
|
||
char *email2 = email_from_user_id (user_id->name);
|
||
|
||
if (strcmp (email, email2) == 0)
|
||
saw_email = 1;
|
||
|
||
xfree (email2);
|
||
}
|
||
}
|
||
|
||
if (! saw_email)
|
||
continue;
|
||
|
||
if (n->pkt->pkttype != PKT_SIGNATURE)
|
||
continue;
|
||
|
||
sig = n->pkt->pkt.signature;
|
||
|
||
if (! (sig->sig_class == 0x10
|
||
|| sig->sig_class == 0x11
|
||
|| sig->sig_class == 0x12
|
||
|| sig->sig_class == 0x13))
|
||
/* Not a signature over a user id. */
|
||
continue;
|
||
|
||
/* SIG is on SIGNEE's keyblock. If SIG was generated by the
|
||
signer, then it's a match. */
|
||
if (keyid_cmp (sig->keyid, signer_kid) == 0)
|
||
/* Match! */
|
||
break;
|
||
}
|
||
if (! n)
|
||
/* We didn't find a signature from signer over signee. */
|
||
{
|
||
if (DBG_TRUST)
|
||
log_debug ("No cross sig between %s and %s\n",
|
||
a_keyid, b_keyid);
|
||
return 0;
|
||
}
|
||
}
|
||
|
||
/* A signed B and B signed A. */
|
||
if (DBG_TRUST)
|
||
log_debug ("Cross sig between %s and %s\n",
|
||
a_keyid, b_keyid);
|
||
|
||
return 1;
|
||
}
|
||
|
||
/* Return whether the key was signed by an ultimately trusted key. */
|
||
static int
|
||
signed_by_utk (const char *email, kbnode_t a)
|
||
{
|
||
kbnode_t n;
|
||
int saw_email = 0;
|
||
|
||
for (n = a; n; n = n->next)
|
||
{
|
||
PKT_signature *sig;
|
||
|
||
if (n->pkt->pkttype == PKT_USER_ID)
|
||
{
|
||
if (saw_email)
|
||
/* We're done: we've processed all signatures on the
|
||
user id. */
|
||
break;
|
||
else
|
||
{
|
||
/* See if this is the matching user id. */
|
||
PKT_user_id *user_id = n->pkt->pkt.user_id;
|
||
char *email2 = email_from_user_id (user_id->name);
|
||
|
||
if (strcmp (email, email2) == 0)
|
||
saw_email = 1;
|
||
|
||
xfree (email2);
|
||
}
|
||
}
|
||
|
||
if (! saw_email)
|
||
continue;
|
||
|
||
if (n->pkt->pkttype != PKT_SIGNATURE)
|
||
continue;
|
||
|
||
sig = n->pkt->pkt.signature;
|
||
|
||
if (! (sig->sig_class == 0x10
|
||
|| sig->sig_class == 0x11
|
||
|| sig->sig_class == 0x12
|
||
|| sig->sig_class == 0x13))
|
||
/* Not a signature over a user id. */
|
||
continue;
|
||
|
||
/* SIG is on SIGNEE's keyblock. If SIG was generated by the
|
||
signer, then it's a match. */
|
||
if (tdb_keyid_is_utk (sig->keyid))
|
||
{
|
||
/* Match! */
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: %s is signed by an ultimately trusted key.\n",
|
||
pk_keyid_str (a->pkt->pkt.public_key));
|
||
|
||
return 1;
|
||
}
|
||
}
|
||
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: %s is NOT signed by an ultimately trusted key.\n",
|
||
pk_keyid_str (a->pkt->pkt.public_key));
|
||
|
||
return 0;
|
||
}
|
||
|
||
|
||
enum
|
||
{
|
||
BINDING_NEW = 1 << 0,
|
||
BINDING_CONFLICT = 1 << 1,
|
||
BINDING_EXPIRED = 1 << 2,
|
||
BINDING_REVOKED = 1 << 3
|
||
};
|
||
|
||
|
||
/* Ask the user about the binding. There are three ways we could end
|
||
* up here:
|
||
*
|
||
* - This is a new binding and there is a conflict
|
||
* (policy == TOFU_POLICY_NONE && conflict_set_count > 1),
|
||
*
|
||
* - This is a new binding and opt.tofu_default_policy is set to
|
||
* ask. (policy == TOFU_POLICY_NONE && opt.tofu_default_policy ==
|
||
* TOFU_POLICY_ASK), or,
|
||
*
|
||
* - The policy is ask (the user deferred last time) (policy ==
|
||
* TOFU_POLICY_ASK).
|
||
*
|
||
* Note: this function must not be called while in a transaction!
|
||
*
|
||
* CONFLICT_SET includes all of the conflicting bindings
|
||
* with FINGERPRINT first. FLAGS is a bit-wise or of
|
||
* BINDING_NEW, etc.
|
||
*/
|
||
static void
|
||
ask_about_binding (ctrl_t ctrl,
|
||
enum tofu_policy *policy,
|
||
int *trust_level,
|
||
strlist_t conflict_set,
|
||
const char *fingerprint,
|
||
const char *email,
|
||
const char *user_id,
|
||
time_t now)
|
||
{
|
||
tofu_dbs_t dbs;
|
||
strlist_t iter;
|
||
int conflict_set_count = strlist_length (conflict_set);
|
||
char *sqerr = NULL;
|
||
int rc;
|
||
estream_t fp;
|
||
strlist_t other_user_ids = NULL;
|
||
struct signature_stats *stats = NULL;
|
||
struct signature_stats *stats_iter = NULL;
|
||
char *prompt = NULL;
|
||
const char *choices;
|
||
|
||
dbs = ctrl->tofu.dbs;
|
||
log_assert (dbs);
|
||
log_assert (dbs->in_transaction == 0);
|
||
|
||
fp = es_fopenmem (0, "rw,samethread");
|
||
if (!fp)
|
||
log_fatal ("error creating memory stream: %s\n",
|
||
gpg_strerror (gpg_error_from_syserror()));
|
||
|
||
{
|
||
char *text = format_conflict_msg_part1 (*policy, conflict_set, email);
|
||
if (!text) /* FIXME: Return the error all the way up. */
|
||
log_fatal ("format failed: %s\n",
|
||
gpg_strerror (gpg_error_from_syserror()));
|
||
|
||
es_fputs (text, fp);
|
||
es_fputc ('\n', fp);
|
||
xfree (text);
|
||
}
|
||
|
||
begin_transaction (ctrl, 0);
|
||
|
||
/* Find other user ids associated with this key and whether the
|
||
* bindings are marked as good or bad. */
|
||
rc = gpgsql_stepx
|
||
(dbs->db, &dbs->s.get_trust_gather_other_user_ids,
|
||
strings_collect_cb2, &other_user_ids, &sqerr,
|
||
"select user_id, policy from bindings where fingerprint = ?;",
|
||
GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
log_error (_("error gathering other user IDs: %s\n"), sqerr);
|
||
sqlite3_free (sqerr);
|
||
sqerr = NULL;
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
|
||
if (other_user_ids)
|
||
{
|
||
strlist_t strlist_iter;
|
||
|
||
es_fprintf (fp, _("This key's user IDs:\n"));
|
||
for (strlist_iter = other_user_ids;
|
||
strlist_iter;
|
||
strlist_iter = strlist_iter->next)
|
||
{
|
||
char *other_user_id = strlist_iter->d;
|
||
char *other_thing;
|
||
enum tofu_policy other_policy;
|
||
|
||
log_assert (strlist_iter->next);
|
||
strlist_iter = strlist_iter->next;
|
||
other_thing = strlist_iter->d;
|
||
|
||
other_policy = atoi (other_thing);
|
||
|
||
es_fprintf (fp, " %s (", other_user_id);
|
||
es_fprintf (fp, _("policy: %s"), tofu_policy_str (other_policy));
|
||
es_fprintf (fp, ")\n");
|
||
}
|
||
es_fprintf (fp, "\n");
|
||
|
||
free_strlist (other_user_ids);
|
||
}
|
||
|
||
/* Get the stats for all the keys in CONFLICT_SET. */
|
||
strlist_rev (&conflict_set);
|
||
for (iter = conflict_set; iter && ! rc; iter = iter->next)
|
||
{
|
||
#define STATS_SQL(table, time, sign) \
|
||
"select fingerprint, policy, time_ago, count(*)\n" \
|
||
" from\n" \
|
||
" (select bindings.*,\n" \
|
||
" "sign" case\n" \
|
||
" when delta ISNULL then 1\n" \
|
||
/* From the future (but if its just a couple of hours in the \
|
||
* future don't turn it into a warning)? Or should we use \
|
||
* small, medium or large units? (Note: whatever we do, we \
|
||
* keep the value in seconds. Then when we group, everything \
|
||
* that rounds to the same number of seconds is grouped.) */ \
|
||
" when delta < -("STRINGIFY (TIME_AGO_FUTURE_IGNORE)") then 2\n" \
|
||
" when delta < ("STRINGIFY (TIME_AGO_SMALL_THRESHOLD)")\n" \
|
||
" then 3\n" \
|
||
" when delta < ("STRINGIFY (TIME_AGO_MEDIUM_THRESHOLD)")\n" \
|
||
" then 4\n" \
|
||
" when delta < ("STRINGIFY (TIME_AGO_LARGE_THRESHOLD)")\n" \
|
||
" then 5\n" \
|
||
" else 6\n" \
|
||
" end time_ago,\n" \
|
||
" delta time_ago_raw\n" \
|
||
" from bindings\n" \
|
||
" left join\n" \
|
||
" (select *,\n" \
|
||
" cast(? - " time " as real) delta\n" \
|
||
" from " table ") ss\n" \
|
||
" on ss.binding = bindings.oid)\n" \
|
||
" where email = ? and fingerprint = ?\n" \
|
||
" group by time_ago\n" \
|
||
/* Make sure the current key is first. */ \
|
||
" order by time_ago desc;\n"
|
||
|
||
/* Use the time when we saw the signature, not when the
|
||
signature was created as that can be forged. */
|
||
rc = gpgsql_stepx
|
||
(dbs->db, &dbs->s.get_trust_gather_signature_stats,
|
||
signature_stats_collect_cb, &stats, &sqerr,
|
||
STATS_SQL ("signatures", "time", ""),
|
||
GPGSQL_ARG_LONG_LONG, (long long) now,
|
||
GPGSQL_ARG_STRING, email,
|
||
GPGSQL_ARG_STRING, iter->d,
|
||
GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
sqlite3_free (sqerr);
|
||
sqerr = NULL;
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
break;
|
||
}
|
||
|
||
if (!stats || strcmp (iter->d, stats->fingerprint) != 0)
|
||
/* No stats for this binding. Add a dummy entry. */
|
||
signature_stats_prepend (&stats, iter->d, TOFU_POLICY_AUTO, 1, 1);
|
||
|
||
rc = gpgsql_stepx
|
||
(dbs->db, &dbs->s.get_trust_gather_encryption_stats,
|
||
signature_stats_collect_cb, &stats, &sqerr,
|
||
STATS_SQL ("encryptions", "time", "-"),
|
||
GPGSQL_ARG_LONG_LONG, (long long) now,
|
||
GPGSQL_ARG_STRING, email,
|
||
GPGSQL_ARG_STRING, iter->d,
|
||
GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
break;
|
||
}
|
||
|
||
#undef STATS_SQL
|
||
|
||
if (!stats || strcmp (iter->d, stats->fingerprint) != 0
|
||
|| stats->time_ago > 0)
|
||
/* No stats for this binding. Add a dummy entry. */
|
||
signature_stats_prepend (&stats, iter->d, TOFU_POLICY_AUTO, -1, 1);
|
||
}
|
||
end_transaction (ctrl, 0);
|
||
strlist_rev (&conflict_set);
|
||
if (rc)
|
||
{
|
||
strlist_t strlist_iter;
|
||
|
||
log_error (_("error gathering signature stats: %s\n"), sqerr);
|
||
sqlite3_free (sqerr);
|
||
sqerr = NULL;
|
||
|
||
es_fprintf (fp, ngettext("The email address \"%s\" is"
|
||
" associated with %d key:\n",
|
||
"The email address \"%s\" is"
|
||
" associated with %d keys:\n",
|
||
conflict_set_count),
|
||
email, conflict_set_count);
|
||
for (strlist_iter = conflict_set;
|
||
strlist_iter;
|
||
strlist_iter = strlist_iter->next)
|
||
es_fprintf (fp, " %s\n", strlist_iter->d);
|
||
}
|
||
else
|
||
{
|
||
char *key = NULL;
|
||
strlist_t binding;
|
||
int seen_in_past = 0;
|
||
int encrypted = 1;
|
||
|
||
es_fprintf (fp, _("Statistics for keys"
|
||
" with the email address \"%s\":\n"),
|
||
email);
|
||
for (stats_iter = stats; stats_iter; stats_iter = stats_iter->next)
|
||
{
|
||
#if 0
|
||
log_debug ("%s: time_ago: %ld; count: %ld\n",
|
||
stats_iter->fingerprint,
|
||
stats_iter->time_ago,
|
||
stats_iter->count);
|
||
#endif
|
||
|
||
if (stats_iter->time_ago > 0 && encrypted)
|
||
{
|
||
/* We've change from the encrypted stats to the verified
|
||
* stats. Reset SEEN_IN_PAST. */
|
||
encrypted = 0;
|
||
seen_in_past = 0;
|
||
}
|
||
|
||
if (! key || strcmp (key, stats_iter->fingerprint))
|
||
{
|
||
int this_key;
|
||
char *key_pp;
|
||
|
||
key = stats_iter->fingerprint;
|
||
this_key = strcmp (key, fingerprint) == 0;
|
||
key_pp = format_hexfingerprint (key, NULL, 0);
|
||
es_fprintf (fp, " %s (", key_pp);
|
||
|
||
/* Find the associated binding. */
|
||
for (binding = conflict_set;
|
||
binding;
|
||
binding = binding->next)
|
||
if (strcmp (key, binding->d) == 0)
|
||
break;
|
||
log_assert (binding);
|
||
|
||
if ((binding->flags & BINDING_REVOKED))
|
||
{
|
||
es_fprintf (fp, _("revoked"));
|
||
es_fprintf (fp, ", ");
|
||
}
|
||
else if ((binding->flags & BINDING_EXPIRED))
|
||
{
|
||
es_fprintf (fp, _("expired"));
|
||
es_fprintf (fp, ", ");
|
||
}
|
||
|
||
if (this_key)
|
||
es_fprintf (fp, _("this key"));
|
||
else
|
||
es_fprintf (fp, _("policy: %s"),
|
||
tofu_policy_str (stats_iter->policy));
|
||
es_fputs ("):\n", fp);
|
||
xfree (key_pp);
|
||
|
||
seen_in_past = 0;
|
||
|
||
show_statistics (dbs, stats_iter->fingerprint, email,
|
||
TOFU_POLICY_ASK, NULL, 1, now);
|
||
}
|
||
|
||
if (labs(stats_iter->time_ago) == 1)
|
||
{
|
||
/* The 1 in this case is the NULL entry. */
|
||
log_assert (stats_iter->count == 1);
|
||
stats_iter->count = 0;
|
||
}
|
||
seen_in_past += stats_iter->count;
|
||
|
||
es_fputs (" ", fp);
|
||
|
||
if (!stats_iter->count)
|
||
{
|
||
if (stats_iter->time_ago > 0)
|
||
es_fprintf (fp, ngettext("Verified %d message.",
|
||
"Verified %d messages.",
|
||
seen_in_past), seen_in_past);
|
||
else
|
||
es_fprintf (fp, ngettext("Encrypted %d message.",
|
||
"Encrypted %d messages.",
|
||
seen_in_past), seen_in_past);
|
||
}
|
||
else if (labs(stats_iter->time_ago) == 2)
|
||
{
|
||
if (stats_iter->time_ago > 0)
|
||
es_fprintf (fp, ngettext("Verified %d message in the future.",
|
||
"Verified %d messages in the future.",
|
||
seen_in_past), seen_in_past);
|
||
else
|
||
es_fprintf (fp, ngettext("Encrypted %d message in the future.",
|
||
"Encrypted %d messages in the future.",
|
||
seen_in_past), seen_in_past);
|
||
/* Reset it. */
|
||
seen_in_past = 0;
|
||
}
|
||
else
|
||
{
|
||
if (labs(stats_iter->time_ago) == 3)
|
||
{
|
||
int days = 1 + stats_iter->time_ago / TIME_AGO_UNIT_SMALL;
|
||
if (stats_iter->time_ago > 0)
|
||
es_fprintf
|
||
(fp,
|
||
ngettext("Messages verified over the past %d day: %d.",
|
||
"Messages verified over the past %d days: %d.",
|
||
days), days, seen_in_past);
|
||
else
|
||
es_fprintf
|
||
(fp,
|
||
ngettext("Messages encrypted over the past %d day: %d.",
|
||
"Messages encrypted over the past %d days: %d.",
|
||
days), days, seen_in_past);
|
||
}
|
||
else if (labs(stats_iter->time_ago) == 4)
|
||
{
|
||
int months = 1 + stats_iter->time_ago / TIME_AGO_UNIT_MEDIUM;
|
||
if (stats_iter->time_ago > 0)
|
||
es_fprintf
|
||
(fp,
|
||
ngettext("Messages verified over the past %d month: %d.",
|
||
"Messages verified over the past %d months: %d.",
|
||
months), months, seen_in_past);
|
||
else
|
||
es_fprintf
|
||
(fp,
|
||
ngettext("Messages encrypted over the past %d month: %d.",
|
||
"Messages encrypted over the past %d months: %d.",
|
||
months), months, seen_in_past);
|
||
}
|
||
else if (labs(stats_iter->time_ago) == 5)
|
||
{
|
||
int years = 1 + stats_iter->time_ago / TIME_AGO_UNIT_LARGE;
|
||
if (stats_iter->time_ago > 0)
|
||
es_fprintf
|
||
(fp,
|
||
ngettext("Messages verified over the past %d year: %d.",
|
||
"Messages verified over the past %d years: %d.",
|
||
years), years, seen_in_past);
|
||
else
|
||
es_fprintf
|
||
(fp,
|
||
ngettext("Messages encrypted over the past %d year: %d.",
|
||
"Messages encrypted over the past %d years: %d.",
|
||
years), years, seen_in_past);
|
||
}
|
||
else if (labs(stats_iter->time_ago) == 6)
|
||
{
|
||
if (stats_iter->time_ago > 0)
|
||
es_fprintf
|
||
(fp, _("Messages verified in the past: %d."),
|
||
seen_in_past);
|
||
else
|
||
es_fprintf
|
||
(fp, _("Messages encrypted in the past: %d."),
|
||
seen_in_past);
|
||
}
|
||
else
|
||
log_assert (! "Broken SQL.\n");
|
||
}
|
||
es_fputs ("\n", fp);
|
||
}
|
||
}
|
||
|
||
if (conflict_set_count > 1 || (conflict_set->flags & BINDING_CONFLICT))
|
||
{
|
||
/* This is a conflict. */
|
||
|
||
/* TRANSLATORS: Please translate the text found in the source
|
||
* file below. We don't directly internationalize that text so
|
||
* that we can tweak it without breaking translations. */
|
||
const char *text = _("TOFU detected a binding conflict");
|
||
char *textbuf;
|
||
if (!strcmp (text, "TOFU detected a binding conflict"))
|
||
{
|
||
/* No translation. Use the English text. */
|
||
text =
|
||
"Normally, an email address is associated with a single key. "
|
||
"However, people sometimes generate a new key if "
|
||
"their key is too old or they think it might be compromised. "
|
||
"Alternatively, a new key may indicate a man-in-the-middle "
|
||
"attack! Before accepting this association, you should talk to or "
|
||
"call the person to make sure this new key is legitimate.";
|
||
}
|
||
textbuf = format_text (text, 72, 80);
|
||
es_fprintf (fp, "\n%s\n", textbuf? textbuf : "[OUT OF CORE!]");
|
||
xfree (textbuf);
|
||
}
|
||
|
||
es_fputc ('\n', fp);
|
||
|
||
/* Add a NUL terminator. */
|
||
es_fputc (0, fp);
|
||
if (es_fclose_snatch (fp, (void **) &prompt, NULL))
|
||
log_fatal ("error snatching memory stream\n");
|
||
|
||
/* I think showing the large message once is sufficient. If we
|
||
* would move it right before the cpr_get many lines will scroll
|
||
* away and the user might not realize that he merely entered a
|
||
* wrong choice (because he does not see that either). As a small
|
||
* benefit we allow C-L to redisplay everything. */
|
||
tty_printf ("%s", prompt);
|
||
|
||
/* Suspend any transaction: it could take a while until the user
|
||
responds. */
|
||
tofu_suspend_batch_transaction (ctrl);
|
||
while (1)
|
||
{
|
||
char *response;
|
||
|
||
/* TRANSLATORS: Two letters (normally the lower and upper case
|
||
* version of the hotkey) for each of the five choices. If
|
||
* there is only one choice in your language, repeat it. */
|
||
choices = _("gG" "aA" "uU" "rR" "bB");
|
||
if (strlen (choices) != 10)
|
||
log_bug ("Bad TOFU conflict translation! Please report.");
|
||
|
||
response = cpr_get
|
||
("tofu.conflict",
|
||
_("(G)ood, (A)ccept once, (U)nknown, (R)eject once, (B)ad? "));
|
||
trim_spaces (response);
|
||
cpr_kill_prompt ();
|
||
if (*response == CONTROL_L)
|
||
tty_printf ("%s", prompt);
|
||
else if (!response[0])
|
||
/* Default to unknown. Don't save it. */
|
||
{
|
||
xfree (response);
|
||
tty_printf (_("Defaulting to unknown.\n"));
|
||
*policy = TOFU_POLICY_UNKNOWN;
|
||
break;
|
||
}
|
||
else if (!response[1])
|
||
{
|
||
char *choice = strchr (choices, *response);
|
||
|
||
if (choice)
|
||
{
|
||
int c = ((size_t) choice - (size_t) choices) / 2;
|
||
xfree (response);
|
||
|
||
switch (c)
|
||
{
|
||
case 0: /* Good. */
|
||
*policy = TOFU_POLICY_GOOD;
|
||
*trust_level = tofu_policy_to_trust_level (*policy);
|
||
break;
|
||
case 1: /* Accept once. */
|
||
*policy = TOFU_POLICY_ASK;
|
||
*trust_level = tofu_policy_to_trust_level (TOFU_POLICY_GOOD);
|
||
break;
|
||
case 2: /* Unknown. */
|
||
*policy = TOFU_POLICY_UNKNOWN;
|
||
*trust_level = tofu_policy_to_trust_level (*policy);
|
||
break;
|
||
case 3: /* Reject once. */
|
||
*policy = TOFU_POLICY_ASK;
|
||
*trust_level = tofu_policy_to_trust_level (TOFU_POLICY_BAD);
|
||
break;
|
||
case 4: /* Bad. */
|
||
*policy = TOFU_POLICY_BAD;
|
||
*trust_level = tofu_policy_to_trust_level (*policy);
|
||
break;
|
||
default:
|
||
log_bug ("c should be between 0 and 4 but it is %d!", c);
|
||
}
|
||
|
||
if (record_binding (dbs, fingerprint, email, user_id,
|
||
*policy, TOFU_POLICY_NONE, NULL, 0, 0, now))
|
||
{
|
||
/* If there's an error registering the
|
||
* binding, don't save the signature. */
|
||
*trust_level = _tofu_GET_TRUST_ERROR;
|
||
}
|
||
break;
|
||
}
|
||
}
|
||
xfree (response);
|
||
}
|
||
|
||
tofu_resume_batch_transaction (ctrl);
|
||
|
||
xfree (prompt);
|
||
|
||
signature_stats_free (stats);
|
||
}
|
||
|
||
/* Return the set of keys that conflict with the binding <fingerprint,
|
||
email> (including the binding itself, which will be first in the
|
||
list). For each returned key also sets BINDING_NEW, etc. */
|
||
static strlist_t
|
||
build_conflict_set (ctrl_t ctrl, tofu_dbs_t dbs,
|
||
PKT_public_key *pk, const char *fingerprint,
|
||
const char *email)
|
||
{
|
||
gpg_error_t rc;
|
||
char *sqerr;
|
||
strlist_t conflict_set = NULL;
|
||
int conflict_set_count;
|
||
strlist_t iter;
|
||
kbnode_t *kb_all;
|
||
KEYDB_HANDLE hd;
|
||
int i;
|
||
|
||
/* Get the fingerprints of any bindings that share the email address
|
||
* and whether the bindings have a known conflict.
|
||
*
|
||
* Note: if the binding in question is in the DB, it will also be
|
||
* returned. Thus, if the result set is empty, then <email,
|
||
* fingerprint> is a new binding. */
|
||
rc = gpgsql_stepx
|
||
(dbs->db, &dbs->s.get_trust_bindings_with_this_email,
|
||
strings_collect_cb2, &conflict_set, &sqerr,
|
||
"select"
|
||
/* A binding should only appear once, but try not to break in the
|
||
* case of corruption. */
|
||
" fingerprint || case sum(conflict NOTNULL) when 0 then '' else '!' end"
|
||
" from bindings where email = ?"
|
||
" group by fingerprint"
|
||
/* Make sure the current key comes first in the result list (if
|
||
it is present). */
|
||
" order by fingerprint = ? asc, fingerprint desc;",
|
||
GPGSQL_ARG_STRING, email,
|
||
GPGSQL_ARG_STRING, fingerprint,
|
||
GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"), sqerr);
|
||
print_further_info ("listing fingerprints");
|
||
sqlite3_free (sqerr);
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
return NULL;
|
||
}
|
||
|
||
/* Set BINDING_CONFLICT if the binding has a known conflict. This
|
||
* allows us to distinguish between bindings where the user
|
||
* explicitly set the policy to ask and bindings where we set the
|
||
* policy to ask due to a conflict. */
|
||
for (iter = conflict_set; iter; iter = iter->next)
|
||
{
|
||
/* Fixme: Why the check against N+1? */
|
||
int l = strlen (iter->d);
|
||
if (!(l == 2 * 20
|
||
|| l == 2 * 20 + 1
|
||
|| l == 2 * 32
|
||
|| l == 2 * 32 + 1))
|
||
{
|
||
log_error (_("TOFU db corruption detected.\n"));
|
||
print_further_info ("fingerprint '%s' is %d characters long",
|
||
iter->d, l);
|
||
}
|
||
|
||
if (l >= 1 && iter->d[l - 1] == '!')
|
||
{
|
||
iter->flags |= BINDING_CONFLICT;
|
||
/* Remove the !. */
|
||
iter->d[l - 1] = 0;
|
||
}
|
||
}
|
||
|
||
/* If the current binding has not yet been recorded, add it to the
|
||
* list. (The order by above ensures that if it is present, it will
|
||
* be first.) */
|
||
if (! (conflict_set && strcmp (conflict_set->d, fingerprint) == 0))
|
||
{
|
||
add_to_strlist (&conflict_set, fingerprint);
|
||
conflict_set->flags |= BINDING_NEW;
|
||
}
|
||
|
||
conflict_set_count = strlist_length (conflict_set);
|
||
|
||
/* Eliminate false conflicts. */
|
||
|
||
if (conflict_set_count == 1)
|
||
/* We only have a single key. There are no false conflicts to
|
||
eliminate. But, we do need to set the flags. */
|
||
{
|
||
if (pk->has_expired)
|
||
conflict_set->flags |= BINDING_EXPIRED;
|
||
if (pk->flags.revoked)
|
||
conflict_set->flags |= BINDING_REVOKED;
|
||
|
||
return conflict_set;
|
||
}
|
||
|
||
/* If two keys have cross signatures, then they are controlled by
|
||
* the same person and thus are not in conflict. */
|
||
kb_all = xcalloc (sizeof (kb_all[0]), conflict_set_count);
|
||
hd = keydb_new (ctrl);
|
||
for (i = 0, iter = conflict_set;
|
||
i < conflict_set_count;
|
||
i ++, iter = iter->next)
|
||
{
|
||
char *fp = iter->d;
|
||
KEYDB_SEARCH_DESC desc;
|
||
kbnode_t kb;
|
||
PKT_public_key *binding_pk;
|
||
kbnode_t n;
|
||
int found_user_id;
|
||
|
||
rc = keydb_search_reset (hd);
|
||
if (rc)
|
||
{
|
||
log_error ("resetting keydb failed: %s\n", gpg_strerror (rc));
|
||
continue;
|
||
}
|
||
|
||
rc = classify_user_id (fp, &desc, 0);
|
||
if (rc)
|
||
{
|
||
log_error (_("error parsing key specification '%s': %s\n"),
|
||
fp, gpg_strerror (rc));
|
||
continue;
|
||
}
|
||
|
||
rc = keydb_search (hd, &desc, 1, NULL);
|
||
if (rc)
|
||
{
|
||
/* Note: it is entirely possible that we don't have the key
|
||
corresponding to an entry in the TOFU DB. This can
|
||
happen if we merge two TOFU DBs, but not the key
|
||
rings. */
|
||
log_info (_("key \"%s\" not found: %s\n"),
|
||
fp, gpg_strerror (rc));
|
||
continue;
|
||
}
|
||
|
||
rc = keydb_get_keyblock (hd, &kb);
|
||
if (rc)
|
||
{
|
||
log_error (_("error reading keyblock: %s\n"),
|
||
gpg_strerror (rc));
|
||
print_further_info ("fingerprint: %s", fp);
|
||
continue;
|
||
}
|
||
|
||
merge_keys_and_selfsig (ctrl, kb);
|
||
|
||
log_assert (kb->pkt->pkttype == PKT_PUBLIC_KEY);
|
||
|
||
kb_all[i] = kb;
|
||
|
||
/* Since we have the key block, use this opportunity to figure
|
||
* out if the binding is expired or revoked. */
|
||
binding_pk = kb->pkt->pkt.public_key;
|
||
|
||
/* The binding is always expired/revoked if the key is
|
||
* expired/revoked. */
|
||
if (binding_pk->has_expired)
|
||
iter->flags |= BINDING_EXPIRED;
|
||
if (binding_pk->flags.revoked)
|
||
iter->flags |= BINDING_REVOKED;
|
||
|
||
/* The binding is also expired/revoked if the user id is
|
||
* expired/revoked. */
|
||
n = kb;
|
||
found_user_id = 0;
|
||
while ((n = find_next_kbnode (n, PKT_USER_ID)) && ! found_user_id)
|
||
{
|
||
PKT_user_id *user_id2 = n->pkt->pkt.user_id;
|
||
char *email2;
|
||
|
||
if (user_id2->attrib_data)
|
||
continue;
|
||
|
||
email2 = email_from_user_id (user_id2->name);
|
||
|
||
if (strcmp (email, email2) == 0)
|
||
{
|
||
found_user_id = 1;
|
||
|
||
if (user_id2->flags.revoked)
|
||
iter->flags |= BINDING_REVOKED;
|
||
if (user_id2->flags.expired)
|
||
iter->flags |= BINDING_EXPIRED;
|
||
}
|
||
|
||
xfree (email2);
|
||
}
|
||
|
||
if (! found_user_id)
|
||
{
|
||
log_info (_("TOFU db corruption detected.\n"));
|
||
print_further_info ("user id '%s' not on key block '%s'",
|
||
email, fingerprint);
|
||
}
|
||
}
|
||
keydb_release (hd);
|
||
|
||
/* Now that we have the key blocks, check for cross sigs. */
|
||
{
|
||
int j;
|
||
strlist_t *prevp;
|
||
strlist_t iter_next;
|
||
int *die;
|
||
|
||
log_assert (conflict_set_count > 0);
|
||
die = xtrycalloc (conflict_set_count, sizeof *die);
|
||
if (!die)
|
||
{
|
||
/*err = gpg_error_from_syserror ();*/
|
||
xoutofcore (); /* Fixme: Let the function return an error. */
|
||
}
|
||
|
||
for (i = 0; i < conflict_set_count; i ++)
|
||
{
|
||
/* Look for cross sigs between this key (i == 0) or a key
|
||
* that has cross sigs with i == 0 (i.e., transitively) */
|
||
if (! (i == 0 || die[i]))
|
||
continue;
|
||
|
||
for (j = i + 1; j < conflict_set_count; j ++)
|
||
/* Be careful: we might not have a key block for a key. */
|
||
if (kb_all[i] && kb_all[j] && cross_sigs (email, kb_all[i], kb_all[j]))
|
||
die[j] = 1;
|
||
}
|
||
|
||
/* Free unconflicting bindings (and all of the key blocks). */
|
||
for (iter = conflict_set, prevp = &conflict_set, i = 0;
|
||
iter;
|
||
iter = iter_next, i ++)
|
||
{
|
||
iter_next = iter->next;
|
||
|
||
release_kbnode (kb_all[i]);
|
||
|
||
if (die[i])
|
||
{
|
||
*prevp = iter_next;
|
||
iter->next = NULL;
|
||
free_strlist (iter);
|
||
conflict_set_count --;
|
||
}
|
||
else
|
||
{
|
||
prevp = &iter->next;
|
||
}
|
||
}
|
||
|
||
/* We shouldn't have removed the head. */
|
||
log_assert (conflict_set);
|
||
log_assert (conflict_set_count >= 1);
|
||
xfree (die);
|
||
}
|
||
xfree (kb_all);
|
||
|
||
if (DBG_TRUST)
|
||
{
|
||
log_debug ("binding <key: %s, email: %s> conflicts:\n",
|
||
fingerprint, email);
|
||
for (iter = conflict_set; iter; iter = iter->next)
|
||
{
|
||
log_debug (" %s:%s%s%s%s\n",
|
||
iter->d,
|
||
(iter->flags & BINDING_NEW) ? " new" : "",
|
||
(iter->flags & BINDING_CONFLICT) ? " known_conflict" : "",
|
||
(iter->flags & BINDING_EXPIRED) ? " expired" : "",
|
||
(iter->flags & BINDING_REVOKED) ? " revoked" : "");
|
||
}
|
||
}
|
||
|
||
return conflict_set;
|
||
}
|
||
|
||
|
||
/* Return the effective policy for the binding <FINGERPRINT, EMAIL>
|
||
* (email has already been normalized). Returns
|
||
* _tofu_GET_POLICY_ERROR if an error occurs. Returns any conflict
|
||
* information in *CONFLICT_SETP if CONFLICT_SETP is not NULL and the
|
||
* returned policy is TOFU_POLICY_ASK (consequently, if there is a
|
||
* conflict, but the user set the policy to good *CONFLICT_SETP will
|
||
* empty). Note: as per build_conflict_set, which is used to build
|
||
* the conflict information, the conflict information includes the
|
||
* current user id as the first element of the linked list.
|
||
*
|
||
* This function registers the binding in the bindings table if it has
|
||
* not yet been registered.
|
||
*/
|
||
static enum tofu_policy
|
||
get_policy (ctrl_t ctrl, tofu_dbs_t dbs, PKT_public_key *pk,
|
||
const char *fingerprint, const char *user_id, const char *email,
|
||
strlist_t *conflict_setp, time_t now)
|
||
{
|
||
int rc;
|
||
char *err = NULL;
|
||
strlist_t results = NULL;
|
||
enum tofu_policy policy = _tofu_GET_POLICY_ERROR;
|
||
enum tofu_policy effective_policy_orig = TOFU_POLICY_NONE;
|
||
enum tofu_policy effective_policy = _tofu_GET_POLICY_ERROR;
|
||
long along;
|
||
char *conflict_orig = NULL;
|
||
char *conflict = NULL;
|
||
strlist_t conflict_set = NULL;
|
||
int conflict_set_count;
|
||
|
||
/* Check if the <FINGERPRINT, EMAIL> binding is known
|
||
(TOFU_POLICY_NONE cannot appear in the DB. Thus, if POLICY is
|
||
still TOFU_POLICY_NONE after executing the query, then the
|
||
result set was empty.) */
|
||
rc = gpgsql_stepx (dbs->db, &dbs->s.get_policy_select_policy_and_conflict,
|
||
strings_collect_cb2, &results, &err,
|
||
"select policy, conflict, effective_policy from bindings\n"
|
||
" where fingerprint = ? and email = ?",
|
||
GPGSQL_ARG_STRING, fingerprint,
|
||
GPGSQL_ARG_STRING, email,
|
||
GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"), err);
|
||
print_further_info ("reading the policy");
|
||
sqlite3_free (err);
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
goto out;
|
||
}
|
||
|
||
if (strlist_length (results) == 0)
|
||
{
|
||
/* No results. Use the defaults. */
|
||
policy = TOFU_POLICY_NONE;
|
||
effective_policy = TOFU_POLICY_NONE;
|
||
}
|
||
else if (strlist_length (results) == 3)
|
||
{
|
||
/* Parse and sanity check the results. */
|
||
|
||
if (string_to_long (&along, results->d, 0, __LINE__))
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"),
|
||
gpg_strerror (GPG_ERR_BAD_DATA));
|
||
print_further_info ("bad value for policy: %s", results->d);
|
||
goto out;
|
||
}
|
||
policy = along;
|
||
|
||
if (! (policy == TOFU_POLICY_AUTO
|
||
|| policy == TOFU_POLICY_GOOD
|
||
|| policy == TOFU_POLICY_UNKNOWN
|
||
|| policy == TOFU_POLICY_BAD
|
||
|| policy == TOFU_POLICY_ASK))
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"),
|
||
gpg_strerror (GPG_ERR_DB_CORRUPTED));
|
||
print_further_info ("invalid value for policy (%d)", policy);
|
||
effective_policy = _tofu_GET_POLICY_ERROR;
|
||
goto out;
|
||
}
|
||
|
||
if (*results->next->d)
|
||
conflict = xstrdup (results->next->d);
|
||
|
||
if (string_to_long (&along, results->next->next->d, 0, __LINE__))
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"),
|
||
gpg_strerror (GPG_ERR_BAD_DATA));
|
||
print_further_info ("bad value for effective policy: %s",
|
||
results->next->next->d);
|
||
goto out;
|
||
}
|
||
effective_policy = along;
|
||
|
||
if (! (effective_policy == TOFU_POLICY_NONE
|
||
|| effective_policy == TOFU_POLICY_AUTO
|
||
|| effective_policy == TOFU_POLICY_GOOD
|
||
|| effective_policy == TOFU_POLICY_UNKNOWN
|
||
|| effective_policy == TOFU_POLICY_BAD
|
||
|| effective_policy == TOFU_POLICY_ASK))
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"),
|
||
gpg_strerror (GPG_ERR_DB_CORRUPTED));
|
||
print_further_info ("invalid value for effective_policy (%d)",
|
||
effective_policy);
|
||
effective_policy = _tofu_GET_POLICY_ERROR;
|
||
goto out;
|
||
}
|
||
}
|
||
else
|
||
{
|
||
/* The result has the wrong form. */
|
||
|
||
log_error (_("error reading TOFU database: %s\n"),
|
||
gpg_strerror (GPG_ERR_BAD_DATA));
|
||
print_further_info ("reading policy: expected 3 columns, got %d\n",
|
||
strlist_length (results));
|
||
goto out;
|
||
}
|
||
|
||
/* Save the effective policy and conflict so we know if we changed
|
||
* them. */
|
||
effective_policy_orig = effective_policy;
|
||
conflict_orig = conflict;
|
||
|
||
/* Unless there is a conflict, if the effective policy is cached,
|
||
* just return it. The reason we don't do this when there is a
|
||
* conflict is because of the following scenario: assume A and B
|
||
* conflict and B has signed A's key. Now, later we import A's
|
||
* signature on B. We need to recheck A, but the signature was on
|
||
* B, i.e., when B changes, we invalidate B's effective policy, but
|
||
* we also need to invalidate A's effective policy. Instead, we
|
||
* assume that conflicts are rare and don't optimize for them, which
|
||
* would complicate the code. */
|
||
if (effective_policy != TOFU_POLICY_NONE && !conflict)
|
||
goto out;
|
||
|
||
/* If the user explicitly set the policy, then respect that. */
|
||
if (policy != TOFU_POLICY_AUTO && policy != TOFU_POLICY_NONE)
|
||
{
|
||
effective_policy = policy;
|
||
goto out;
|
||
}
|
||
|
||
/* Unless proven wrong, assume the effective policy is 'auto'. */
|
||
effective_policy = TOFU_POLICY_AUTO;
|
||
|
||
/* See if the key is ultimately trusted. */
|
||
{
|
||
u32 kid[2];
|
||
|
||
keyid_from_pk (pk, kid);
|
||
if (tdb_keyid_is_utk (kid))
|
||
{
|
||
effective_policy = TOFU_POLICY_GOOD;
|
||
goto out;
|
||
}
|
||
}
|
||
|
||
/* See if the key is signed by an ultimately trusted key. */
|
||
{
|
||
int fingerprint_raw_len = strlen (fingerprint) / 2;
|
||
char fingerprint_raw[MAX_FINGERPRINT_LEN];
|
||
int len = 0;
|
||
|
||
/* FIXME(fingerprint) */
|
||
if (fingerprint_raw_len != 20 /*sizeof fingerprint_raw */
|
||
|| ((len = hex2bin (fingerprint,
|
||
fingerprint_raw, fingerprint_raw_len))
|
||
!= strlen (fingerprint)))
|
||
{
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: Bad fingerprint: %s (len: %zu, parsed: %d)\n",
|
||
fingerprint, strlen (fingerprint), len);
|
||
}
|
||
else
|
||
{
|
||
int lookup_err;
|
||
kbnode_t kb;
|
||
|
||
lookup_err = get_pubkey_byfpr (ctrl, NULL, &kb,
|
||
fingerprint_raw, fingerprint_raw_len);
|
||
if (lookup_err)
|
||
{
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: Looking up %s: %s\n",
|
||
fingerprint, gpg_strerror (lookup_err));
|
||
}
|
||
else
|
||
{
|
||
int is_signed_by_utk = signed_by_utk (email, kb);
|
||
release_kbnode (kb);
|
||
if (is_signed_by_utk)
|
||
{
|
||
effective_policy = TOFU_POLICY_GOOD;
|
||
goto out;
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
/* Check for any conflicts / see if a previously discovered conflict
|
||
* disappeared. The latter can happen if the conflicting bindings
|
||
* are now cross signed, for instance. */
|
||
|
||
conflict_set = build_conflict_set (ctrl, dbs, pk, fingerprint, email);
|
||
conflict_set_count = strlist_length (conflict_set);
|
||
if (conflict_set_count == 0)
|
||
{
|
||
/* build_conflict_set should always at least return the current
|
||
binding. Something went wrong. */
|
||
effective_policy = _tofu_GET_POLICY_ERROR;
|
||
goto out;
|
||
}
|
||
|
||
if (conflict_set_count == 1
|
||
&& (conflict_set->flags & BINDING_NEW))
|
||
{
|
||
/* We've never observed a binding with this email address and we
|
||
* have a default policy, which is not to ask the user. */
|
||
|
||
/* If we've seen this binding, then we've seen this email and
|
||
* policy couldn't possibly be TOFU_POLICY_NONE. */
|
||
log_assert (policy == TOFU_POLICY_NONE);
|
||
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: New binding <key: %s, user id: %s>, no conflict.\n",
|
||
fingerprint, email);
|
||
|
||
effective_policy = TOFU_POLICY_AUTO;
|
||
goto out;
|
||
}
|
||
|
||
if (conflict_set_count == 1
|
||
&& (conflict_set->flags & BINDING_CONFLICT))
|
||
{
|
||
/* No known conflicts now, but there was a conflict. This means
|
||
* at some point, there was a conflict and we changed this
|
||
* binding's policy to ask and set the conflicting key. The
|
||
* conflict can go away if there is not a cross sig between the
|
||
* two keys. In this case, just silently clear the conflict and
|
||
* reset the policy to auto. */
|
||
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: binding <key: %s, user id: %s> had a conflict, but it's been resolved (probably via cross sig).\n",
|
||
fingerprint, email);
|
||
|
||
effective_policy = TOFU_POLICY_AUTO;
|
||
conflict = NULL;
|
||
|
||
goto out;
|
||
}
|
||
|
||
if (conflict_set_count == 1)
|
||
{
|
||
/* No conflicts and never marked as conflicting. */
|
||
|
||
log_assert (!conflict);
|
||
|
||
effective_policy = TOFU_POLICY_AUTO;
|
||
|
||
goto out;
|
||
}
|
||
|
||
/* There is a conflicting key. */
|
||
log_assert (conflict_set_count > 1);
|
||
effective_policy = TOFU_POLICY_ASK;
|
||
conflict = xstrdup (conflict_set->next->d);
|
||
|
||
out:
|
||
log_assert (policy == _tofu_GET_POLICY_ERROR
|
||
|| policy == TOFU_POLICY_NONE
|
||
|| policy == TOFU_POLICY_AUTO
|
||
|| policy == TOFU_POLICY_GOOD
|
||
|| policy == TOFU_POLICY_UNKNOWN
|
||
|| policy == TOFU_POLICY_BAD
|
||
|| policy == TOFU_POLICY_ASK);
|
||
/* Everything but NONE. */
|
||
log_assert (effective_policy == _tofu_GET_POLICY_ERROR
|
||
|| effective_policy == TOFU_POLICY_AUTO
|
||
|| effective_policy == TOFU_POLICY_GOOD
|
||
|| effective_policy == TOFU_POLICY_UNKNOWN
|
||
|| effective_policy == TOFU_POLICY_BAD
|
||
|| effective_policy == TOFU_POLICY_ASK);
|
||
|
||
if (effective_policy != TOFU_POLICY_ASK && conflict)
|
||
conflict = NULL;
|
||
|
||
/* If we don't have a record of this binding, its effective policy
|
||
* changed, or conflict changed, update the DB. */
|
||
if (effective_policy != _tofu_GET_POLICY_ERROR
|
||
&& (/* New binding. */
|
||
policy == TOFU_POLICY_NONE
|
||
/* effective_policy changed. */
|
||
|| effective_policy != effective_policy_orig
|
||
/* conflict changed. */
|
||
|| (conflict != conflict_orig
|
||
&& (!conflict || !conflict_orig
|
||
|| strcmp (conflict, conflict_orig) != 0))))
|
||
{
|
||
if (record_binding (dbs, fingerprint, email, user_id,
|
||
policy == TOFU_POLICY_NONE ? TOFU_POLICY_AUTO : policy,
|
||
effective_policy, conflict, 1, 0, now) != 0)
|
||
log_error ("error setting TOFU binding's policy"
|
||
" to %s\n", tofu_policy_str (policy));
|
||
}
|
||
|
||
/* If the caller wants the set of conflicts, return it. */
|
||
if (effective_policy == TOFU_POLICY_ASK && conflict_setp)
|
||
{
|
||
if (! conflict_set)
|
||
conflict_set = build_conflict_set (ctrl, dbs, pk, fingerprint, email);
|
||
*conflict_setp = conflict_set;
|
||
}
|
||
else
|
||
{
|
||
free_strlist (conflict_set);
|
||
|
||
if (conflict_setp)
|
||
*conflict_setp = NULL;
|
||
}
|
||
|
||
xfree (conflict_orig);
|
||
if (conflict != conflict_orig)
|
||
xfree (conflict);
|
||
free_strlist (results);
|
||
|
||
return effective_policy;
|
||
}
|
||
|
||
|
||
/* Return the trust level (TRUST_NEVER, etc.) for the binding
|
||
* <FINGERPRINT, EMAIL> (email is already normalized). If no policy
|
||
* is registered, returns TOFU_POLICY_NONE. If an error occurs,
|
||
* returns _tofu_GET_TRUST_ERROR.
|
||
*
|
||
* PK is the public key object for FINGERPRINT.
|
||
*
|
||
* USER_ID is the unadulterated user id.
|
||
*
|
||
* If MAY_ASK is set, then we may interact with the user. This is
|
||
* necessary if there is a conflict or the binding's policy is
|
||
* TOFU_POLICY_ASK. In the case of a conflict, we set the new
|
||
* conflicting binding's policy to TOFU_POLICY_ASK. In either case,
|
||
* we return TRUST_UNDEFINED. Note: if MAY_ASK is set, then this
|
||
* function must not be called while in a transaction! */
|
||
static enum tofu_policy
|
||
get_trust (ctrl_t ctrl, PKT_public_key *pk,
|
||
const char *fingerprint, const char *email,
|
||
const char *user_id, int may_ask,
|
||
enum tofu_policy *policyp, strlist_t *conflict_setp,
|
||
time_t now)
|
||
{
|
||
tofu_dbs_t dbs = ctrl->tofu.dbs;
|
||
int in_transaction = 0;
|
||
enum tofu_policy policy;
|
||
int rc;
|
||
char *sqerr = NULL;
|
||
strlist_t conflict_set = NULL;
|
||
int trust_level = TRUST_UNKNOWN;
|
||
strlist_t iter;
|
||
|
||
log_assert (dbs);
|
||
|
||
if (may_ask)
|
||
log_assert (dbs->in_transaction == 0);
|
||
|
||
if (opt.batch)
|
||
may_ask = 0;
|
||
|
||
log_assert (pk_is_primary (pk));
|
||
|
||
/* Make sure _tofu_GET_TRUST_ERROR isn't equal to any of the trust
|
||
levels. */
|
||
log_assert (_tofu_GET_TRUST_ERROR != TRUST_UNKNOWN
|
||
&& _tofu_GET_TRUST_ERROR != TRUST_EXPIRED
|
||
&& _tofu_GET_TRUST_ERROR != TRUST_UNDEFINED
|
||
&& _tofu_GET_TRUST_ERROR != TRUST_NEVER
|
||
&& _tofu_GET_TRUST_ERROR != TRUST_MARGINAL
|
||
&& _tofu_GET_TRUST_ERROR != TRUST_FULLY
|
||
&& _tofu_GET_TRUST_ERROR != TRUST_ULTIMATE);
|
||
|
||
begin_transaction (ctrl, 0);
|
||
in_transaction = 1;
|
||
|
||
/* We need to call get_policy even if the key is ultimately trusted
|
||
* to make sure the binding has been registered. */
|
||
policy = get_policy (ctrl, dbs, pk, fingerprint, user_id, email,
|
||
&conflict_set, now);
|
||
|
||
if (policy == TOFU_POLICY_ASK)
|
||
/* The conflict set should always contain at least one element:
|
||
* the current key. */
|
||
log_assert (conflict_set);
|
||
else
|
||
/* If the policy is not TOFU_POLICY_ASK, then conflict_set will be
|
||
* NULL. */
|
||
log_assert (! conflict_set);
|
||
|
||
/* If the key is ultimately trusted, there is nothing to do. */
|
||
{
|
||
u32 kid[2];
|
||
|
||
keyid_from_pk (pk, kid);
|
||
if (tdb_keyid_is_utk (kid))
|
||
{
|
||
trust_level = TRUST_ULTIMATE;
|
||
policy = TOFU_POLICY_GOOD;
|
||
goto out;
|
||
}
|
||
}
|
||
|
||
if (policy == TOFU_POLICY_AUTO)
|
||
{
|
||
policy = opt.tofu_default_policy;
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: binding <key: %s, user id: %s>'s policy is"
|
||
" auto (default: %s).\n",
|
||
fingerprint, email,
|
||
tofu_policy_str (opt.tofu_default_policy));
|
||
|
||
if (policy == TOFU_POLICY_ASK)
|
||
/* The default policy is ASK, but there is no conflict (policy
|
||
* was 'auto'). In this case, we need to make sure the
|
||
* conflict set includes at least the current user id. */
|
||
{
|
||
add_to_strlist (&conflict_set, fingerprint);
|
||
}
|
||
}
|
||
switch (policy)
|
||
{
|
||
case TOFU_POLICY_AUTO:
|
||
case TOFU_POLICY_GOOD:
|
||
case TOFU_POLICY_UNKNOWN:
|
||
case TOFU_POLICY_BAD:
|
||
/* The saved judgement is auto -> auto, good, unknown or bad.
|
||
* We don't need to ask the user anything. */
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: Known binding <key: %s, user id: %s>'s policy: %s\n",
|
||
fingerprint, email, tofu_policy_str (policy));
|
||
trust_level = tofu_policy_to_trust_level (policy);
|
||
goto out;
|
||
|
||
case TOFU_POLICY_ASK:
|
||
/* We need to ask the user what to do. */
|
||
break;
|
||
|
||
case _tofu_GET_POLICY_ERROR:
|
||
trust_level = _tofu_GET_TRUST_ERROR;
|
||
goto out;
|
||
|
||
default:
|
||
log_bug ("%s: Impossible value for policy (%d)\n", __func__, policy);
|
||
}
|
||
|
||
|
||
/* We get here if:
|
||
*
|
||
* 1. The saved policy is auto and the default policy is ask
|
||
* (get_policy() == TOFU_POLICY_AUTO
|
||
* && opt.tofu_default_policy == TOFU_POLICY_ASK)
|
||
*
|
||
* 2. The saved policy is ask (either last time the user selected
|
||
* accept once or reject once or there was a conflict and this
|
||
* binding's policy was changed from auto to ask)
|
||
* (policy == TOFU_POLICY_ASK).
|
||
*/
|
||
log_assert (policy == TOFU_POLICY_ASK);
|
||
|
||
if (may_ask)
|
||
{
|
||
/* We can't be in a normal transaction in ask_about_binding. */
|
||
end_transaction (ctrl, 0);
|
||
in_transaction = 0;
|
||
|
||
/* If we get here, we need to ask the user about the binding. */
|
||
ask_about_binding (ctrl,
|
||
&policy,
|
||
&trust_level,
|
||
conflict_set,
|
||
fingerprint,
|
||
email,
|
||
user_id,
|
||
now);
|
||
}
|
||
else
|
||
{
|
||
trust_level = TRUST_UNDEFINED;
|
||
}
|
||
|
||
/* Mark any conflicting bindings that have an automatic policy as
|
||
* now requiring confirmation. Note: we do this after we ask for
|
||
* confirmation so that when the current policy is printed, it is
|
||
* correct. */
|
||
if (! in_transaction)
|
||
{
|
||
begin_transaction (ctrl, 0);
|
||
in_transaction = 1;
|
||
}
|
||
|
||
/* The conflict set should always contain at least one element:
|
||
* the current key. */
|
||
log_assert (conflict_set);
|
||
|
||
for (iter = conflict_set->next; iter; iter = iter->next)
|
||
{
|
||
/* We don't immediately set the effective policy to 'ask,
|
||
because */
|
||
rc = gpgsql_exec_printf
|
||
(dbs->db, NULL, NULL, &sqerr,
|
||
"update bindings set effective_policy = %d, conflict = %Q"
|
||
" where email = %Q and fingerprint = %Q and effective_policy != %d;",
|
||
TOFU_POLICY_NONE, fingerprint,
|
||
email, iter->d, TOFU_POLICY_ASK);
|
||
if (rc)
|
||
{
|
||
log_error (_("error changing TOFU policy: %s\n"), sqerr);
|
||
print_further_info ("binding: <key: %s, user id: %s>",
|
||
fingerprint, user_id);
|
||
sqlite3_free (sqerr);
|
||
sqerr = NULL;
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
else if (DBG_TRUST)
|
||
log_debug ("Set %s to conflict with %s\n",
|
||
iter->d, fingerprint);
|
||
}
|
||
|
||
out:
|
||
if (in_transaction)
|
||
end_transaction (ctrl, 0);
|
||
|
||
if (policyp)
|
||
*policyp = policy;
|
||
|
||
if (conflict_setp)
|
||
*conflict_setp = conflict_set;
|
||
else
|
||
free_strlist (conflict_set);
|
||
|
||
return trust_level;
|
||
}
|
||
|
||
|
||
/* Return a malloced string of the form
|
||
* "7~months"
|
||
* The caller should replace all '~' in the returned string by a space
|
||
* and also free the returned string.
|
||
*
|
||
* This is actually a bad hack which may not work correctly with all
|
||
* languages.
|
||
*/
|
||
static char *
|
||
time_ago_str (long long int t)
|
||
{
|
||
/* It would be nice to use a macro to do this, but gettext
|
||
works on the unpreprocessed code. */
|
||
#define MIN_SECS (60)
|
||
#define HOUR_SECS (60 * MIN_SECS)
|
||
#define DAY_SECS (24 * HOUR_SECS)
|
||
#define WEEK_SECS (7 * DAY_SECS)
|
||
#define MONTH_SECS (30 * DAY_SECS)
|
||
#define YEAR_SECS (365 * DAY_SECS)
|
||
|
||
if (t > 2 * YEAR_SECS)
|
||
{
|
||
long long int c = t / YEAR_SECS;
|
||
return xtryasprintf (ngettext("%lld~year", "%lld~years", c), c);
|
||
}
|
||
if (t > 2 * MONTH_SECS)
|
||
{
|
||
long long int c = t / MONTH_SECS;
|
||
return xtryasprintf (ngettext("%lld~month", "%lld~months", c), c);
|
||
}
|
||
if (t > 2 * WEEK_SECS)
|
||
{
|
||
long long int c = t / WEEK_SECS;
|
||
return xtryasprintf (ngettext("%lld~week", "%lld~weeks", c), c);
|
||
}
|
||
if (t > 2 * DAY_SECS)
|
||
{
|
||
long long int c = t / DAY_SECS;
|
||
return xtryasprintf (ngettext("%lld~day", "%lld~days", c), c);
|
||
}
|
||
if (t > 2 * HOUR_SECS)
|
||
{
|
||
long long int c = t / HOUR_SECS;
|
||
return xtryasprintf (ngettext("%lld~hour", "%lld~hours", c), c);
|
||
}
|
||
if (t > 2 * MIN_SECS)
|
||
{
|
||
long long int c = t / MIN_SECS;
|
||
return xtryasprintf (ngettext("%lld~minute", "%lld~minutes", c), c);
|
||
}
|
||
return xtryasprintf (ngettext("%lld~second", "%lld~seconds", t), t);
|
||
}
|
||
|
||
|
||
/* If FP is NULL, write TOFU_STATS status line. If FP is not NULL
|
||
* write a "tfs" record to that stream. */
|
||
static void
|
||
write_stats_status (estream_t fp,
|
||
enum tofu_policy policy,
|
||
unsigned long signature_count,
|
||
unsigned long signature_first_seen,
|
||
unsigned long signature_most_recent,
|
||
unsigned long signature_days,
|
||
unsigned long encryption_count,
|
||
unsigned long encryption_first_done,
|
||
unsigned long encryption_most_recent,
|
||
unsigned long encryption_days)
|
||
{
|
||
int summary;
|
||
int validity;
|
||
unsigned long days_sq;
|
||
|
||
/* Use the euclidean distance (m = sqrt(a^2 + b^2)) rather then the
|
||
sum of the magnitudes (m = a + b) to ensure a balance between
|
||
verified signatures and encrypted messages. */
|
||
days_sq = signature_days * signature_days + encryption_days * encryption_days;
|
||
|
||
if (days_sq < 1)
|
||
validity = 1; /* Key without history. */
|
||
else if (days_sq < (2 * BASIC_TRUST_THRESHOLD) * (2 * BASIC_TRUST_THRESHOLD))
|
||
validity = 2; /* Key with too little history. */
|
||
else if (days_sq < (2 * FULL_TRUST_THRESHOLD) * (2 * FULL_TRUST_THRESHOLD))
|
||
validity = 3; /* Key with enough history for basic trust. */
|
||
else
|
||
validity = 4; /* Key with a lot of history. */
|
||
|
||
if (policy == TOFU_POLICY_ASK)
|
||
summary = 0; /* Key requires attention. */
|
||
else
|
||
summary = validity;
|
||
|
||
if (fp)
|
||
{
|
||
es_fprintf (fp, "tfs:1:%d:%lu:%lu:%s:%lu:%lu:%lu:%lu:%d:%lu:%lu:\n",
|
||
summary, signature_count, encryption_count,
|
||
tofu_policy_str (policy),
|
||
signature_first_seen, signature_most_recent,
|
||
encryption_first_done, encryption_most_recent,
|
||
validity, signature_days, encryption_days);
|
||
}
|
||
else
|
||
{
|
||
write_status_printf (STATUS_TOFU_STATS,
|
||
"%d %lu %lu %s %lu %lu %lu %lu %d %lu %lu",
|
||
summary,
|
||
signature_count,
|
||
encryption_count,
|
||
tofu_policy_str (policy),
|
||
signature_first_seen,
|
||
signature_most_recent,
|
||
encryption_first_done,
|
||
encryption_most_recent,
|
||
validity,
|
||
signature_days, encryption_days);
|
||
}
|
||
}
|
||
|
||
/* Note: If OUTFP is not NULL, this function merely prints a "tfs" record
|
||
* to OUTFP.
|
||
*
|
||
* POLICY is the key's policy (as returned by get_policy).
|
||
*
|
||
* Returns 0 if ONLY_STATUS_FD is set. Otherwise, returns whether
|
||
* the caller should call show_warning after iterating over all user
|
||
* ids.
|
||
*/
|
||
static int
|
||
show_statistics (tofu_dbs_t dbs,
|
||
const char *fingerprint, const char *email,
|
||
enum tofu_policy policy,
|
||
estream_t outfp, int only_status_fd, time_t now)
|
||
{
|
||
char *fingerprint_pp;
|
||
int rc;
|
||
strlist_t strlist = NULL;
|
||
char *err = NULL;
|
||
|
||
unsigned long signature_first_seen = 0;
|
||
unsigned long signature_most_recent = 0;
|
||
unsigned long signature_count = 0;
|
||
unsigned long signature_days = 0;
|
||
unsigned long encryption_first_done = 0;
|
||
unsigned long encryption_most_recent = 0;
|
||
unsigned long encryption_count = 0;
|
||
unsigned long encryption_days = 0;
|
||
|
||
int show_warning = 0;
|
||
|
||
if (only_status_fd && ! is_status_enabled ())
|
||
return 0;
|
||
|
||
fingerprint_pp = format_hexfingerprint (fingerprint, NULL, 0);
|
||
|
||
/* Get the signature stats. */
|
||
rc = gpgsql_exec_printf
|
||
(dbs->db, strings_collect_cb, &strlist, &err,
|
||
"select count (*), coalesce (min (signatures.time), 0),\n"
|
||
" coalesce (max (signatures.time), 0)\n"
|
||
" from signatures\n"
|
||
" left join bindings on signatures.binding = bindings.oid\n"
|
||
" where fingerprint = %Q and email = %Q;",
|
||
fingerprint, email);
|
||
if (rc)
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"), err);
|
||
print_further_info ("getting signature statistics");
|
||
sqlite3_free (err);
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
goto out;
|
||
}
|
||
rc = gpgsql_exec_printf
|
||
(dbs->db, strings_collect_cb, &strlist, &err,
|
||
"select count (*) from\n"
|
||
" (select round(signatures.time / (24 * 60 * 60)) day\n"
|
||
" from signatures\n"
|
||
" left join bindings on signatures.binding = bindings.oid\n"
|
||
" where fingerprint = %Q and email = %Q\n"
|
||
" group by day);",
|
||
fingerprint, email);
|
||
if (rc)
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"), err);
|
||
print_further_info ("getting signature statistics (by day)");
|
||
sqlite3_free (err);
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
goto out;
|
||
}
|
||
|
||
if (strlist)
|
||
{
|
||
/* We expect exactly 4 elements. */
|
||
log_assert (strlist->next);
|
||
log_assert (strlist->next->next);
|
||
log_assert (strlist->next->next->next);
|
||
log_assert (! strlist->next->next->next->next);
|
||
|
||
string_to_ulong (&signature_days, strlist->d, -1, __LINE__);
|
||
string_to_ulong (&signature_count, strlist->next->d, -1, __LINE__);
|
||
string_to_ulong (&signature_first_seen,
|
||
strlist->next->next->d, -1, __LINE__);
|
||
string_to_ulong (&signature_most_recent,
|
||
strlist->next->next->next->d, -1, __LINE__);
|
||
|
||
free_strlist (strlist);
|
||
strlist = NULL;
|
||
}
|
||
|
||
/* Get the encryption stats. */
|
||
rc = gpgsql_exec_printf
|
||
(dbs->db, strings_collect_cb, &strlist, &err,
|
||
"select count (*), coalesce (min (encryptions.time), 0),\n"
|
||
" coalesce (max (encryptions.time), 0)\n"
|
||
" from encryptions\n"
|
||
" left join bindings on encryptions.binding = bindings.oid\n"
|
||
" where fingerprint = %Q and email = %Q;",
|
||
fingerprint, email);
|
||
if (rc)
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"), err);
|
||
print_further_info ("getting encryption statistics");
|
||
sqlite3_free (err);
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
goto out;
|
||
}
|
||
rc = gpgsql_exec_printf
|
||
(dbs->db, strings_collect_cb, &strlist, &err,
|
||
"select count (*) from\n"
|
||
" (select round(encryptions.time / (24 * 60 * 60)) day\n"
|
||
" from encryptions\n"
|
||
" left join bindings on encryptions.binding = bindings.oid\n"
|
||
" where fingerprint = %Q and email = %Q\n"
|
||
" group by day);",
|
||
fingerprint, email);
|
||
if (rc)
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"), err);
|
||
print_further_info ("getting encryption statistics (by day)");
|
||
sqlite3_free (err);
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
goto out;
|
||
}
|
||
|
||
if (strlist)
|
||
{
|
||
/* We expect exactly 4 elements. */
|
||
log_assert (strlist->next);
|
||
log_assert (strlist->next->next);
|
||
log_assert (strlist->next->next->next);
|
||
log_assert (! strlist->next->next->next->next);
|
||
|
||
string_to_ulong (&encryption_days, strlist->d, -1, __LINE__);
|
||
string_to_ulong (&encryption_count, strlist->next->d, -1, __LINE__);
|
||
string_to_ulong (&encryption_first_done,
|
||
strlist->next->next->d, -1, __LINE__);
|
||
string_to_ulong (&encryption_most_recent,
|
||
strlist->next->next->next->d, -1, __LINE__);
|
||
|
||
free_strlist (strlist);
|
||
strlist = NULL;
|
||
}
|
||
|
||
if (!outfp)
|
||
write_status_text_and_buffer (STATUS_TOFU_USER, fingerprint,
|
||
email, strlen (email), 0);
|
||
|
||
write_stats_status (outfp, policy,
|
||
signature_count,
|
||
signature_first_seen,
|
||
signature_most_recent,
|
||
signature_days,
|
||
encryption_count,
|
||
encryption_first_done,
|
||
encryption_most_recent,
|
||
encryption_days);
|
||
|
||
if (!outfp && !only_status_fd)
|
||
{
|
||
estream_t fp;
|
||
char *msg;
|
||
|
||
fp = es_fopenmem (0, "rw,samethread");
|
||
if (! fp)
|
||
log_fatal ("error creating memory stream: %s\n",
|
||
gpg_strerror (gpg_error_from_syserror()));
|
||
|
||
if (signature_count == 0 && encryption_count == 0)
|
||
{
|
||
es_fprintf (fp,
|
||
_("%s: Verified 0~signatures and encrypted 0~messages."),
|
||
email);
|
||
}
|
||
else
|
||
{
|
||
if (signature_count == 0)
|
||
es_fprintf (fp, _("%s: Verified 0 signatures."), email);
|
||
else
|
||
{
|
||
/* Note: Translation not possible with that wording. */
|
||
char *ago_str = time_ago_str (now - signature_first_seen);
|
||
es_fprintf
|
||
(fp, "%s: Verified %ld~signatures in the past %s.",
|
||
email, signature_count, ago_str);
|
||
xfree (ago_str);
|
||
}
|
||
|
||
es_fputs (" ", fp);
|
||
|
||
if (encryption_count == 0)
|
||
es_fprintf (fp, _("Encrypted 0 messages."));
|
||
else
|
||
{
|
||
char *ago_str = time_ago_str (now - encryption_first_done);
|
||
|
||
/* Note: Translation not possible with this kind of
|
||
* composition. */
|
||
es_fprintf (fp, "Encrypted %ld~messages in the past %s.",
|
||
encryption_count, ago_str);
|
||
xfree (ago_str);
|
||
}
|
||
}
|
||
|
||
if (opt.verbose)
|
||
{
|
||
es_fputs (" ", fp);
|
||
es_fprintf (fp, _("(policy: %s)"), tofu_policy_str (policy));
|
||
}
|
||
es_fputs ("\n", fp);
|
||
|
||
|
||
{
|
||
char *tmpmsg, *p;
|
||
es_fputc (0, fp);
|
||
if (es_fclose_snatch (fp, (void **) &tmpmsg, NULL))
|
||
log_fatal ("error snatching memory stream\n");
|
||
msg = format_text (tmpmsg, 72, 80);
|
||
if (!msg) /* FIXME: Return the error all the way up. */
|
||
log_fatal ("format failed: %s\n",
|
||
gpg_strerror (gpg_error_from_syserror()));
|
||
es_free (tmpmsg);
|
||
|
||
/* Print a status line but suppress the trailing LF.
|
||
* Spaces are not percent escaped. */
|
||
if (*msg)
|
||
write_status_buffer (STATUS_TOFU_STATS_LONG,
|
||
msg, strlen (msg)-1, -1);
|
||
|
||
/* Remove the non-breaking space markers. */
|
||
for (p=msg; *p; p++)
|
||
if (*p == '~')
|
||
*p = ' ';
|
||
}
|
||
|
||
log_string (GPGRT_LOGLVL_INFO, msg);
|
||
xfree (msg);
|
||
|
||
if (policy == TOFU_POLICY_AUTO)
|
||
{
|
||
if (signature_count == 0)
|
||
log_info (_("Warning: we have yet to see"
|
||
" a message signed using this key and user id!\n"));
|
||
else if (signature_count == 1)
|
||
log_info (_("Warning: we've only seen one message"
|
||
" signed using this key and user id!\n"));
|
||
|
||
if (encryption_count == 0)
|
||
log_info (_("Warning: you have yet to encrypt"
|
||
" a message to this key!\n"));
|
||
else if (encryption_count == 1)
|
||
log_info (_("Warning: you have only encrypted"
|
||
" one message to this key!\n"));
|
||
|
||
/* Cf. write_stats_status */
|
||
if ((encryption_count * encryption_count
|
||
+ signature_count * signature_count)
|
||
< ((2 * BASIC_TRUST_THRESHOLD) * (2 * BASIC_TRUST_THRESHOLD)))
|
||
show_warning = 1;
|
||
}
|
||
}
|
||
|
||
out:
|
||
xfree (fingerprint_pp);
|
||
|
||
return show_warning;
|
||
}
|
||
|
||
static void
|
||
show_warning (const char *fingerprint, strlist_t user_id_list)
|
||
{
|
||
char *set_policy_command;
|
||
char *text;
|
||
char *tmpmsg;
|
||
|
||
set_policy_command =
|
||
xasprintf ("gpg --tofu-policy bad %s", fingerprint);
|
||
|
||
tmpmsg = xasprintf
|
||
(ngettext
|
||
("Warning: if you think you've seen more signatures "
|
||
"by this key and user id, then this key might be a "
|
||
"forgery! Carefully examine the email address for small "
|
||
"variations. If the key is suspect, then use\n"
|
||
" %s\n"
|
||
"to mark it as being bad.\n",
|
||
"Warning: if you think you've seen more signatures "
|
||
"by this key and these user ids, then this key might be a "
|
||
"forgery! Carefully examine the email addresses for small "
|
||
"variations. If the key is suspect, then use\n"
|
||
" %s\n"
|
||
"to mark it as being bad.\n",
|
||
strlist_length (user_id_list)),
|
||
set_policy_command);
|
||
|
||
text = format_text (tmpmsg, 72, 80);
|
||
if (!text) /* FIXME: Return the error all the way up. */
|
||
log_fatal ("format failed: %s\n",
|
||
gpg_strerror (gpg_error_from_syserror()));
|
||
xfree (tmpmsg);
|
||
log_string (GPGRT_LOGLVL_INFO, text);
|
||
xfree (text);
|
||
|
||
es_free (set_policy_command);
|
||
}
|
||
|
||
|
||
/* Extract the email address from a user id and normalize it. If the
|
||
user id doesn't contain an email address, then we use the whole
|
||
user_id and normalize that. The returned string must be freed. */
|
||
static char *
|
||
email_from_user_id (const char *user_id)
|
||
{
|
||
char *email = mailbox_from_userid (user_id, 0);
|
||
if (! email)
|
||
{
|
||
/* Hmm, no email address was provided or we are out of core. Just
|
||
take the lower-case version of the whole user id. It could be
|
||
a hostname, for instance. */
|
||
email = ascii_strlwr (xstrdup (user_id));
|
||
}
|
||
|
||
return email;
|
||
}
|
||
|
||
/* Register the signature with the bindings <fingerprint, USER_ID>,
|
||
for each USER_ID in USER_ID_LIST. The fingerprint is taken from
|
||
the primary key packet PK.
|
||
|
||
SIG_DIGEST_BIN is the binary representation of the message's
|
||
digest. SIG_DIGEST_BIN_LEN is its length.
|
||
|
||
SIG_TIME is the time that the signature was generated.
|
||
|
||
ORIGIN is a free-formed string describing the origin of the
|
||
signature. If this was from an email and the Claws MUA was used,
|
||
then this should be something like: "email:claws". If this is
|
||
NULL, the default is simply "unknown".
|
||
|
||
If MAY_ASK is 1, then this function may interact with the user.
|
||
This is necessary if there is a conflict or the binding's policy is
|
||
TOFU_POLICY_ASK.
|
||
|
||
This function returns 0 on success and an error code if an error
|
||
occurred. */
|
||
gpg_error_t
|
||
tofu_register_signature (ctrl_t ctrl,
|
||
PKT_public_key *pk, strlist_t user_id_list,
|
||
const byte *sig_digest_bin, int sig_digest_bin_len,
|
||
time_t sig_time, const char *origin)
|
||
{
|
||
time_t now = gnupg_get_time ();
|
||
gpg_error_t rc;
|
||
tofu_dbs_t dbs;
|
||
char *fingerprint = NULL;
|
||
strlist_t user_id;
|
||
char *email = NULL;
|
||
char *sqlerr = NULL;
|
||
char *sig_digest = NULL;
|
||
unsigned long c;
|
||
|
||
dbs = opendbs (ctrl);
|
||
if (! dbs)
|
||
{
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
log_error (_("error opening TOFU database: %s\n"),
|
||
gpg_strerror (rc));
|
||
return rc;
|
||
}
|
||
|
||
/* We do a query and then an insert. Make sure they are atomic
|
||
by wrapping them in a transaction. */
|
||
rc = begin_transaction (ctrl, 0);
|
||
if (rc)
|
||
return rc;
|
||
|
||
log_assert (pk_is_primary (pk));
|
||
|
||
sig_digest = make_radix64_string (sig_digest_bin, sig_digest_bin_len);
|
||
if (!sig_digest)
|
||
{
|
||
rc = gpg_error_from_syserror ();
|
||
goto leave;
|
||
}
|
||
fingerprint = hexfingerprint (pk, NULL, 0);
|
||
if (!fingerprint)
|
||
{
|
||
rc = gpg_error_from_syserror ();
|
||
goto leave;
|
||
}
|
||
|
||
if (! origin)
|
||
origin = "unknown"; /* The default origin is simply "unknown". */
|
||
|
||
for (user_id = user_id_list; user_id; user_id = user_id->next)
|
||
{
|
||
email = email_from_user_id (user_id->d);
|
||
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: Registering signature %s with binding"
|
||
" <key: %s, user id: %s>\n",
|
||
sig_digest, fingerprint, email);
|
||
|
||
/* Make sure the binding exists and record any TOFU
|
||
conflicts. */
|
||
if (get_trust (ctrl, pk, fingerprint, email, user_id->d,
|
||
0, NULL, NULL, now)
|
||
== _tofu_GET_TRUST_ERROR)
|
||
{
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
xfree (email);
|
||
break;
|
||
}
|
||
|
||
/* If we've already seen this signature before, then don't add
|
||
it again. */
|
||
rc = gpgsql_stepx
|
||
(dbs->db, &dbs->s.register_already_seen,
|
||
get_single_unsigned_long_cb2, &c, &sqlerr,
|
||
"select count (*)\n"
|
||
" from signatures left join bindings\n"
|
||
" on signatures.binding = bindings.oid\n"
|
||
" where fingerprint = ? and email = ? and sig_time = ?\n"
|
||
" and sig_digest = ?",
|
||
GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
|
||
GPGSQL_ARG_LONG_LONG, (long long) sig_time,
|
||
GPGSQL_ARG_STRING, sig_digest,
|
||
GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
log_error (_("error reading TOFU database: %s\n"), sqlerr);
|
||
print_further_info ("checking existence");
|
||
sqlite3_free (sqlerr);
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
else if (c > 1)
|
||
/* Duplicates! This should not happen. In particular,
|
||
because <fingerprint, email, sig_time, sig_digest> is the
|
||
primary key! */
|
||
log_debug ("SIGNATURES DB contains duplicate records"
|
||
" <key: %s, email: %s, time: 0x%lx, sig: %s,"
|
||
" origin: %s>."
|
||
" Please report.\n",
|
||
fingerprint, email, (unsigned long) sig_time,
|
||
sig_digest, origin);
|
||
else if (c == 1)
|
||
{
|
||
if (DBG_TRUST)
|
||
log_debug ("Already observed the signature and binding"
|
||
" <key: %s, email: %s, time: 0x%lx, sig: %s,"
|
||
" origin: %s>\n",
|
||
fingerprint, email, (unsigned long) sig_time,
|
||
sig_digest, origin);
|
||
}
|
||
else if (opt.dry_run)
|
||
{
|
||
log_info ("TOFU database update skipped due to --dry-run\n");
|
||
}
|
||
else
|
||
/* This is the first time that we've seen this signature and
|
||
binding. Record it. */
|
||
{
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: Saving signature"
|
||
" <key: %s, user id: %s, sig: %s>\n",
|
||
fingerprint, email, sig_digest);
|
||
|
||
log_assert (c == 0);
|
||
|
||
rc = gpgsql_stepx
|
||
(dbs->db, &dbs->s.register_signature, NULL, NULL, &sqlerr,
|
||
"insert into signatures\n"
|
||
" (binding, sig_digest, origin, sig_time, time)\n"
|
||
" values\n"
|
||
" ((select oid from bindings\n"
|
||
" where fingerprint = ? and email = ?),\n"
|
||
" ?, ?, ?, ?);",
|
||
GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
|
||
GPGSQL_ARG_STRING, sig_digest, GPGSQL_ARG_STRING, origin,
|
||
GPGSQL_ARG_LONG_LONG, (long long) sig_time,
|
||
GPGSQL_ARG_LONG_LONG, (long long) now,
|
||
GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
log_error (_("error updating TOFU database: %s\n"), sqlerr);
|
||
print_further_info ("insert signatures");
|
||
sqlite3_free (sqlerr);
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
}
|
||
|
||
xfree (email);
|
||
|
||
if (rc)
|
||
break;
|
||
}
|
||
|
||
leave:
|
||
if (rc)
|
||
rollback_transaction (ctrl);
|
||
else
|
||
rc = end_transaction (ctrl, 0);
|
||
|
||
xfree (fingerprint);
|
||
xfree (sig_digest);
|
||
|
||
return rc;
|
||
}
|
||
|
||
gpg_error_t
|
||
tofu_register_encryption (ctrl_t ctrl,
|
||
PKT_public_key *pk, strlist_t user_id_list,
|
||
int may_ask)
|
||
{
|
||
time_t now = gnupg_get_time ();
|
||
gpg_error_t rc = 0;
|
||
tofu_dbs_t dbs;
|
||
kbnode_t kb = NULL;
|
||
int free_user_id_list = 0;
|
||
char *fingerprint = NULL;
|
||
strlist_t user_id;
|
||
char *sqlerr = NULL;
|
||
int in_batch = 0;
|
||
|
||
dbs = opendbs (ctrl);
|
||
if (! dbs)
|
||
{
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
log_error (_("error opening TOFU database: %s\n"),
|
||
gpg_strerror (rc));
|
||
return rc;
|
||
}
|
||
|
||
if (/* We need the key block to find the primary key. */
|
||
! pk_is_primary (pk)
|
||
/* We need the key block to find all user ids. */
|
||
|| ! user_id_list)
|
||
kb = get_pubkeyblock (ctrl, pk->keyid);
|
||
|
||
/* Make sure PK is a primary key. */
|
||
if (! pk_is_primary (pk))
|
||
pk = kb->pkt->pkt.public_key;
|
||
|
||
if (! user_id_list)
|
||
{
|
||
/* Use all non-revoked user ids. Do use expired user ids. */
|
||
kbnode_t n = kb;
|
||
|
||
while ((n = find_next_kbnode (n, PKT_USER_ID)))
|
||
{
|
||
PKT_user_id *uid = n->pkt->pkt.user_id;
|
||
|
||
if (uid->flags.revoked)
|
||
continue;
|
||
|
||
add_to_strlist (&user_id_list, uid->name);
|
||
}
|
||
|
||
free_user_id_list = 1;
|
||
|
||
if (! user_id_list)
|
||
log_info (_("WARNING: Encrypting to %s, which has no "
|
||
"non-revoked user ids\n"),
|
||
keystr (pk->keyid));
|
||
}
|
||
|
||
fingerprint = hexfingerprint (pk, NULL, 0);
|
||
if (!fingerprint)
|
||
{
|
||
rc = gpg_error_from_syserror ();
|
||
goto leave;
|
||
}
|
||
|
||
tofu_begin_batch_update (ctrl);
|
||
in_batch = 1;
|
||
tofu_resume_batch_transaction (ctrl);
|
||
|
||
for (user_id = user_id_list; user_id; user_id = user_id->next)
|
||
{
|
||
char *email = email_from_user_id (user_id->d);
|
||
strlist_t conflict_set = NULL;
|
||
enum tofu_policy policy;
|
||
|
||
/* Make sure the binding exists and that we recognize any
|
||
conflicts. */
|
||
int tl = get_trust (ctrl, pk, fingerprint, email, user_id->d,
|
||
may_ask, &policy, &conflict_set, now);
|
||
if (tl == _tofu_GET_TRUST_ERROR)
|
||
{
|
||
/* An error. */
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
xfree (email);
|
||
goto leave;
|
||
}
|
||
|
||
|
||
/* If there is a conflict and MAY_ASK is true, we need to show
|
||
* the TOFU statistics for the current binding and the
|
||
* conflicting bindings. But, if we are not in batch mode, then
|
||
* they have already been printed (this is required to make sure
|
||
* the information is available to the caller before cpr_get is
|
||
* called). */
|
||
if (policy == TOFU_POLICY_ASK && may_ask && opt.batch)
|
||
{
|
||
strlist_t iter;
|
||
|
||
/* The conflict set should contain at least the current
|
||
* key. */
|
||
log_assert (conflict_set);
|
||
|
||
for (iter = conflict_set; iter; iter = iter->next)
|
||
show_statistics (dbs, iter->d, email,
|
||
TOFU_POLICY_ASK, NULL, 1, now);
|
||
}
|
||
|
||
free_strlist (conflict_set);
|
||
|
||
rc = gpgsql_stepx
|
||
(dbs->db, &dbs->s.register_encryption, NULL, NULL, &sqlerr,
|
||
"insert into encryptions\n"
|
||
" (binding, time)\n"
|
||
" values\n"
|
||
" ((select oid from bindings\n"
|
||
" where fingerprint = ? and email = ?),\n"
|
||
" ?);",
|
||
GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
|
||
GPGSQL_ARG_LONG_LONG, (long long) now,
|
||
GPGSQL_ARG_END);
|
||
if (rc)
|
||
{
|
||
log_error (_("error updating TOFU database: %s\n"), sqlerr);
|
||
print_further_info ("insert encryption");
|
||
sqlite3_free (sqlerr);
|
||
rc = gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
|
||
xfree (email);
|
||
}
|
||
|
||
leave:
|
||
if (in_batch)
|
||
tofu_end_batch_update (ctrl);
|
||
|
||
release_kbnode (kb);
|
||
if (free_user_id_list)
|
||
free_strlist (user_id_list);
|
||
xfree (fingerprint);
|
||
|
||
return rc;
|
||
}
|
||
|
||
|
||
/* Combine a trust level returned from the TOFU trust model with a
|
||
trust level returned by the PGP trust model. This is primarily of
|
||
interest when the trust model is tofu+pgp (TM_TOFU_PGP).
|
||
|
||
This function ors together the upper bits (the values not covered
|
||
by TRUST_MASK, i.e., TRUST_FLAG_REVOKED, etc.). */
|
||
int
|
||
tofu_wot_trust_combine (int tofu_base, int wot_base)
|
||
{
|
||
int tofu = tofu_base & TRUST_MASK;
|
||
int wot = wot_base & TRUST_MASK;
|
||
int upper = (tofu_base & ~TRUST_MASK) | (wot_base & ~TRUST_MASK);
|
||
|
||
log_assert (tofu == TRUST_UNKNOWN
|
||
|| tofu == TRUST_EXPIRED
|
||
|| tofu == TRUST_UNDEFINED
|
||
|| tofu == TRUST_NEVER
|
||
|| tofu == TRUST_MARGINAL
|
||
|| tofu == TRUST_FULLY
|
||
|| tofu == TRUST_ULTIMATE);
|
||
log_assert (wot == TRUST_UNKNOWN
|
||
|| wot == TRUST_EXPIRED
|
||
|| wot == TRUST_UNDEFINED
|
||
|| wot == TRUST_NEVER
|
||
|| wot == TRUST_MARGINAL
|
||
|| wot == TRUST_FULLY
|
||
|| wot == TRUST_ULTIMATE);
|
||
|
||
/* We first consider negative trust policies. These trump positive
|
||
trust policies. */
|
||
if (tofu == TRUST_NEVER || wot == TRUST_NEVER)
|
||
/* TRUST_NEVER trumps everything else. */
|
||
return upper | TRUST_NEVER;
|
||
if (tofu == TRUST_EXPIRED || wot == TRUST_EXPIRED)
|
||
/* TRUST_EXPIRED trumps everything but TRUST_NEVER. */
|
||
return upper | TRUST_EXPIRED;
|
||
|
||
/* Now we only have positive or neutral trust policies. We take
|
||
the max. */
|
||
if (tofu == TRUST_ULTIMATE)
|
||
return upper | TRUST_ULTIMATE | TRUST_FLAG_TOFU_BASED;
|
||
if (wot == TRUST_ULTIMATE)
|
||
return upper | TRUST_ULTIMATE;
|
||
|
||
if (tofu == TRUST_FULLY)
|
||
return upper | TRUST_FULLY | TRUST_FLAG_TOFU_BASED;
|
||
if (wot == TRUST_FULLY)
|
||
return upper | TRUST_FULLY;
|
||
|
||
if (tofu == TRUST_MARGINAL)
|
||
return upper | TRUST_MARGINAL | TRUST_FLAG_TOFU_BASED;
|
||
if (wot == TRUST_MARGINAL)
|
||
return upper | TRUST_MARGINAL;
|
||
|
||
if (tofu == TRUST_UNDEFINED)
|
||
return upper | TRUST_UNDEFINED | TRUST_FLAG_TOFU_BASED;
|
||
if (wot == TRUST_UNDEFINED)
|
||
return upper | TRUST_UNDEFINED;
|
||
|
||
return upper | TRUST_UNKNOWN;
|
||
}
|
||
|
||
|
||
/* Write a "tfs" record for a --with-colons listing. */
|
||
gpg_error_t
|
||
tofu_write_tfs_record (ctrl_t ctrl, estream_t fp,
|
||
PKT_public_key *pk, const char *user_id)
|
||
{
|
||
time_t now = gnupg_get_time ();
|
||
gpg_error_t err = 0;
|
||
tofu_dbs_t dbs;
|
||
char *fingerprint;
|
||
char *email = NULL;
|
||
enum tofu_policy policy;
|
||
|
||
if (!*user_id)
|
||
return 0; /* No TOFU stats possible for an empty ID. */
|
||
|
||
dbs = opendbs (ctrl);
|
||
if (!dbs)
|
||
{
|
||
err = gpg_error (GPG_ERR_GENERAL);
|
||
log_error (_("error opening TOFU database: %s\n"), gpg_strerror (err));
|
||
return err;
|
||
}
|
||
|
||
fingerprint = hexfingerprint (pk, NULL, 0);
|
||
if (!fingerprint)
|
||
{
|
||
err = gpg_error_from_syserror ();
|
||
goto leave;
|
||
}
|
||
email = email_from_user_id (user_id);
|
||
policy = get_policy (ctrl, dbs, pk, fingerprint, user_id, email, NULL, now);
|
||
|
||
show_statistics (dbs, fingerprint, email, policy, fp, 0, now);
|
||
|
||
leave:
|
||
xfree (email);
|
||
xfree (fingerprint);
|
||
return err;
|
||
}
|
||
|
||
|
||
/* Return the validity (TRUST_NEVER, etc.) of the bindings
|
||
<FINGERPRINT, USER_ID>, for each USER_ID in USER_ID_LIST. If
|
||
USER_ID_LIST->FLAG is set, then the id is considered to be expired.
|
||
|
||
PK is the primary key packet.
|
||
|
||
If MAY_ASK is 1 and the policy is TOFU_POLICY_ASK, then the user
|
||
will be prompted to choose a policy. If MAY_ASK is 0 and the
|
||
policy is TOFU_POLICY_ASK, then TRUST_UNKNOWN is returned.
|
||
|
||
Returns TRUST_UNDEFINED if an error occurs.
|
||
|
||
Fixme: eturn an error code
|
||
*/
|
||
int
|
||
tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list,
|
||
int may_ask)
|
||
{
|
||
time_t now = gnupg_get_time ();
|
||
tofu_dbs_t dbs;
|
||
char *fingerprint = NULL;
|
||
strlist_t user_id;
|
||
int trust_level = TRUST_UNKNOWN;
|
||
int bindings = 0;
|
||
int bindings_valid = 0;
|
||
int need_warning = 0;
|
||
int had_conflict = 0;
|
||
|
||
dbs = opendbs (ctrl);
|
||
if (! dbs)
|
||
{
|
||
log_error (_("error opening TOFU database: %s\n"),
|
||
gpg_strerror (GPG_ERR_GENERAL));
|
||
return TRUST_UNDEFINED;
|
||
}
|
||
|
||
fingerprint = hexfingerprint (pk, NULL, 0);
|
||
if (!fingerprint)
|
||
log_fatal ("%s: malloc failed\n", __func__);
|
||
|
||
tofu_begin_batch_update (ctrl);
|
||
/* Start the batch transaction now. */
|
||
tofu_resume_batch_transaction (ctrl);
|
||
|
||
for (user_id = user_id_list; user_id; user_id = user_id->next, bindings ++)
|
||
{
|
||
char *email = email_from_user_id (user_id->d);
|
||
strlist_t conflict_set = NULL;
|
||
enum tofu_policy policy;
|
||
|
||
/* Always call get_trust to make sure the binding is
|
||
registered. */
|
||
int tl = get_trust (ctrl, pk, fingerprint, email, user_id->d,
|
||
may_ask, &policy, &conflict_set, now);
|
||
if (tl == _tofu_GET_TRUST_ERROR)
|
||
{
|
||
/* An error. */
|
||
trust_level = TRUST_UNDEFINED;
|
||
xfree (email);
|
||
goto die;
|
||
}
|
||
|
||
if (DBG_TRUST)
|
||
log_debug ("TOFU: validity for <key: %s, user id: %s>: %s%s.\n",
|
||
fingerprint, email,
|
||
trust_value_to_string (tl),
|
||
user_id->flags ? " (but expired)" : "");
|
||
|
||
if (user_id->flags)
|
||
tl = TRUST_EXPIRED;
|
||
|
||
if (tl != TRUST_EXPIRED)
|
||
bindings_valid ++;
|
||
|
||
if (may_ask && tl != TRUST_ULTIMATE && tl != TRUST_EXPIRED)
|
||
{
|
||
/* If policy is ask, then we already printed out the
|
||
* conflict information in ask_about_binding or will do so
|
||
* in a moment. */
|
||
if (policy != TOFU_POLICY_ASK)
|
||
need_warning |=
|
||
show_statistics (dbs, fingerprint, email, policy, NULL, 0, now);
|
||
|
||
/* If there is a conflict and MAY_ASK is true, we need to
|
||
* show the TOFU statistics for the current binding and the
|
||
* conflicting bindings. But, if we are not in batch mode,
|
||
* then they have already been printed (this is required to
|
||
* make sure the information is available to the caller
|
||
* before cpr_get is called). */
|
||
if (policy == TOFU_POLICY_ASK && opt.batch)
|
||
{
|
||
strlist_t iter;
|
||
|
||
/* The conflict set should contain at least the current
|
||
* key. */
|
||
log_assert (conflict_set);
|
||
|
||
had_conflict = 1;
|
||
for (iter = conflict_set; iter; iter = iter->next)
|
||
show_statistics (dbs, iter->d, email,
|
||
TOFU_POLICY_ASK, NULL, 1, now);
|
||
}
|
||
}
|
||
|
||
free_strlist (conflict_set);
|
||
|
||
if (tl == TRUST_NEVER)
|
||
trust_level = TRUST_NEVER;
|
||
else if (tl == TRUST_EXPIRED)
|
||
/* Ignore expired bindings in the trust calculation. */
|
||
;
|
||
else if (tl > trust_level)
|
||
{
|
||
/* The expected values: */
|
||
log_assert (tl == TRUST_UNKNOWN || tl == TRUST_UNDEFINED
|
||
|| tl == TRUST_MARGINAL || tl == TRUST_FULLY
|
||
|| tl == TRUST_ULTIMATE);
|
||
|
||
/* We assume the following ordering: */
|
||
log_assert (TRUST_UNKNOWN < TRUST_UNDEFINED);
|
||
log_assert (TRUST_UNDEFINED < TRUST_MARGINAL);
|
||
log_assert (TRUST_MARGINAL < TRUST_FULLY);
|
||
log_assert (TRUST_FULLY < TRUST_ULTIMATE);
|
||
|
||
trust_level = tl;
|
||
}
|
||
|
||
xfree (email);
|
||
}
|
||
|
||
if (need_warning && ! had_conflict)
|
||
show_warning (fingerprint, user_id_list);
|
||
|
||
die:
|
||
tofu_end_batch_update (ctrl);
|
||
|
||
xfree (fingerprint);
|
||
|
||
if (bindings_valid == 0)
|
||
{
|
||
if (DBG_TRUST)
|
||
log_debug ("no (of %d) valid bindings."
|
||
" Can't get TOFU validity for this set of user ids.\n",
|
||
bindings);
|
||
return TRUST_NEVER;
|
||
}
|
||
|
||
return trust_level;
|
||
}
|
||
|
||
/* Set the policy for all non-revoked user ids in the keyblock KB to
|
||
POLICY.
|
||
|
||
If no key is available with the specified key id, then this
|
||
function returns GPG_ERR_NO_PUBKEY.
|
||
|
||
Returns 0 on success and an error code otherwise. */
|
||
gpg_error_t
|
||
tofu_set_policy (ctrl_t ctrl, kbnode_t kb, enum tofu_policy policy)
|
||
{
|
||
gpg_error_t err = 0;
|
||
time_t now = gnupg_get_time ();
|
||
tofu_dbs_t dbs;
|
||
PKT_public_key *pk;
|
||
char *fingerprint = NULL;
|
||
|
||
log_assert (kb->pkt->pkttype == PKT_PUBLIC_KEY);
|
||
pk = kb->pkt->pkt.public_key;
|
||
|
||
dbs = opendbs (ctrl);
|
||
if (! dbs)
|
||
{
|
||
log_error (_("error opening TOFU database: %s\n"),
|
||
gpg_strerror (GPG_ERR_GENERAL));
|
||
return gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
|
||
if (DBG_TRUST)
|
||
log_debug ("Setting TOFU policy for %s to %s\n",
|
||
keystr (pk->keyid), tofu_policy_str (policy));
|
||
if (! pk_is_primary (pk))
|
||
log_bug ("%s: Passed a subkey, but expecting a primary key.\n", __func__);
|
||
|
||
fingerprint = hexfingerprint (pk, NULL, 0);
|
||
if (!fingerprint)
|
||
return gpg_error_from_syserror ();
|
||
|
||
begin_transaction (ctrl, 0);
|
||
|
||
for (; kb; kb = kb->next)
|
||
{
|
||
PKT_user_id *user_id;
|
||
char *email;
|
||
|
||
if (kb->pkt->pkttype != PKT_USER_ID)
|
||
continue;
|
||
|
||
user_id = kb->pkt->pkt.user_id;
|
||
if (user_id->flags.revoked)
|
||
/* Skip revoked user ids. (Don't skip expired user ids, the
|
||
expiry can be changed.) */
|
||
continue;
|
||
|
||
email = email_from_user_id (user_id->name);
|
||
|
||
err = record_binding (dbs, fingerprint, email, user_id->name,
|
||
policy, TOFU_POLICY_NONE, NULL, 0, 1, now);
|
||
if (err)
|
||
{
|
||
log_error ("error setting policy for key %s, user id \"%s\": %s",
|
||
fingerprint, email, gpg_strerror (err));
|
||
xfree (email);
|
||
break;
|
||
}
|
||
|
||
xfree (email);
|
||
}
|
||
|
||
if (err)
|
||
rollback_transaction (ctrl);
|
||
else
|
||
end_transaction (ctrl, 0);
|
||
|
||
xfree (fingerprint);
|
||
return err;
|
||
}
|
||
|
||
/* Return the TOFU policy for the specified binding in *POLICY. If no
|
||
policy has been set for the binding, sets *POLICY to
|
||
TOFU_POLICY_NONE.
|
||
|
||
PK is a primary public key and USER_ID is a user id.
|
||
|
||
Returns 0 on success and an error code otherwise. */
|
||
gpg_error_t
|
||
tofu_get_policy (ctrl_t ctrl, PKT_public_key *pk, PKT_user_id *user_id,
|
||
enum tofu_policy *policy)
|
||
{
|
||
time_t now = gnupg_get_time ();
|
||
tofu_dbs_t dbs;
|
||
char *fingerprint;
|
||
char *email;
|
||
|
||
/* Make sure PK is a primary key. */
|
||
log_assert (pk_is_primary (pk));
|
||
|
||
dbs = opendbs (ctrl);
|
||
if (! dbs)
|
||
{
|
||
log_error (_("error opening TOFU database: %s\n"),
|
||
gpg_strerror (GPG_ERR_GENERAL));
|
||
return gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
|
||
fingerprint = hexfingerprint (pk, NULL, 0);
|
||
if (!fingerprint)
|
||
return gpg_error_from_syserror ();
|
||
|
||
email = email_from_user_id (user_id->name);
|
||
|
||
*policy = get_policy (ctrl, dbs, pk, fingerprint,
|
||
user_id->name, email, NULL, now);
|
||
|
||
xfree (email);
|
||
xfree (fingerprint);
|
||
if (*policy == _tofu_GET_POLICY_ERROR)
|
||
return gpg_error (GPG_ERR_GENERAL);
|
||
return 0;
|
||
}
|
||
|
||
gpg_error_t
|
||
tofu_notice_key_changed (ctrl_t ctrl, kbnode_t kb)
|
||
{
|
||
tofu_dbs_t dbs;
|
||
PKT_public_key *pk;
|
||
char *fingerprint;
|
||
char *sqlerr = NULL;
|
||
int rc;
|
||
|
||
/* Make sure PK is a primary key. */
|
||
setup_main_keyids (kb);
|
||
pk = kb->pkt->pkt.public_key;
|
||
log_assert (pk_is_primary (pk));
|
||
|
||
dbs = opendbs (ctrl);
|
||
if (! dbs)
|
||
{
|
||
log_error (_("error opening TOFU database: %s\n"),
|
||
gpg_strerror (GPG_ERR_GENERAL));
|
||
return gpg_error (GPG_ERR_GENERAL);
|
||
}
|
||
|
||
fingerprint = hexfingerprint (pk, NULL, 0);
|
||
if (!fingerprint)
|
||
return gpg_error_from_syserror ();
|
||
|
||
rc = gpgsql_stepx (dbs->db, NULL, NULL, NULL, &sqlerr,
|
||
"update bindings set effective_policy = ?"
|
||
" where fingerprint = ?;",
|
||
GPGSQL_ARG_INT, (int) TOFU_POLICY_NONE,
|
||
GPGSQL_ARG_STRING, fingerprint,
|
||
GPGSQL_ARG_END);
|
||
xfree (fingerprint);
|
||
|
||
if (rc == _tofu_GET_POLICY_ERROR)
|
||
return gpg_error (GPG_ERR_GENERAL);
|
||
return 0;
|
||
}
|