27
26
#include <assert.h>
28
27
#include <unistd.h>
29
28
#include <sys/stat.h>
32
32
#include <assuan.h> /* fixme: need a way to avoid assuan calls here */
36
/* A structure to store the information from the trust file. */
41
int for_pgp:1; /* Set by '*' or 'P' as first flag. */
42
int for_smime:1; /* Set by '*' or 'S' as first flag. */
43
int relax:1; /* Relax checking of root certificate
45
int cm:1; /* Use chain model for validation. */
47
unsigned char fpr[20]; /* The binary fingerprint. */
49
typedef struct trustitem_s trustitem_t;
51
/* Malloced table and its allocated size with all trust items. */
52
static trustitem_t *trusttable;
53
static size_t trusttablesize;
54
/* A mutex used to protect the table. */
55
static pth_mutex_t trusttable_lock;
35
59
static const char headerblurb[] =
36
60
"# This is the list of trusted keys. Comment lines, like this one, as\n"
37
"# well as empty lines are ignored. The entire file may be integrity\n"
38
"# protected by the use of a MAC, so changing the file does not make\n"
39
"# sense without the knowledge of the MAC key. Lines do have a length\n"
40
"# limit but this is not serious limitation as the format of the\n"
41
"# entries is fixed and checked by gpg-agent: A non-comment line starts\n"
42
"# with optional white spaces, followed by the SHA-1 fingerpint in hex,\n"
43
"# optionally followed by a flag character which my either be 'P', 'S'\n"
44
"# or '*'. Additional data, delimited by white space, is ignored.\n"
46
"# NOTE: You should give the gpg-agent a HUP after editing this file.\n"
61
"# well as empty lines are ignored. Lines have a length limit but this\n"
62
"# is not serious limitation as the format of the entries is fixed and\n"
63
"# checked by gpg-agent. A non-comment line starts with optional white\n"
64
"# space, followed by the SHA-1 fingerpint in hex, optionally followed\n"
65
"# by a flag character which my either be 'P', 'S' or '*'. You should\n"
66
"# give the gpg-agent a HUP after editing this file.\n"
68
"# Include the default trust list\n"
51
static int trustfp_used; /* Counter to track usage of TRUSTFP. */
52
static int reload_trustlist_pending;
56
open_list (int append)
60
fname = make_filename (opt.homedir, "trustlist.txt", NULL);
61
trustfp = fopen (fname, append? "a+":"r");
62
if (!trustfp && errno == ENOENT)
64
trustfp = fopen (fname, "wx");
67
gpg_error_t tmperr = gpg_error (gpg_err_code_from_errno (errno));
68
log_error ("can't create `%s': %s\n", fname, strerror (errno));
72
fputs (headerblurb, trustfp);
74
trustfp = fopen (fname, append? "a+":"r");
79
gpg_error_t tmperr = gpg_error (gpg_err_code_from_errno (errno));
80
log_error ("can't open `%s': %s\n", fname, strerror (errno));
85
/*FIXME: check the MAC */
92
/* Read the trustlist and return entry by entry. KEY must point to a
93
buffer of at least 41 characters. KEYFLAG does return either 'P',
96
Reading a valid entry return 0, EOF returns -1 any other error
97
returns the appropriate error code. */
99
read_list (char *key, int *keyflag)
73
/* This function must be called once to initialize this module. This
74
has to be done before a second thread is spawned. We can't do the
75
static initialization because Pth emulation code might not be able
76
to do a static init; in particular, it is not possible for W32. */
78
initialize_module_trustlist (void)
80
static int initialized;
84
if (!pth_mutex_init (&trusttable_lock))
85
log_fatal ("error initializing mutex: %s\n", strerror (errno));
94
lock_trusttable (void)
96
if (!pth_mutex_acquire (&trusttable_lock, 0, NULL))
97
log_fatal ("failed to acquire mutex in %s\n", __FILE__);
101
unlock_trusttable (void)
103
if (!pth_mutex_release (&trusttable_lock))
104
log_fatal ("failed to release mutex in %s\n", __FILE__);
110
read_one_trustfile (const char *fname, int allow_include,
111
trustitem_t **addr_of_table,
112
size_t *addr_of_tablesize,
113
int *addr_of_tableidx)
103
118
char *p, line[256];
119
trustitem_t *table, *ti;
124
table = *addr_of_table;
125
tablesize = *addr_of_tablesize;
126
tableidx = *addr_of_tableidx;
128
fp = fopen (fname, "r");
131
err = gpg_error_from_syserror ();
132
log_error (_("error opening `%s': %s\n"), fname, gpg_strerror (err));
136
while (fgets (line, DIM(line)-1, fp))
114
if (!fgets (line, DIM(line)-1, trustfp) )
118
return gpg_error (gpg_err_code_from_errno (errno));
121
140
if (!*line || line[strlen(line)-1] != '\n')
123
/* eat until end of line */
124
while ( (c=getc (trustfp)) != EOF && c != '\n')
142
/* Eat until end of line. */
143
while ( (c=getc (fp)) != EOF && c != '\n')
126
return gpg_error (*line? GPG_ERR_LINE_TOO_LONG
127
: GPG_ERR_INCOMPLETE_LINE);
145
err = gpg_error (*line? GPG_ERR_LINE_TOO_LONG
146
: GPG_ERR_INCOMPLETE_LINE);
147
log_error (_("file `%s', line %d: %s\n"),
148
fname, lnr, gpg_strerror (err));
151
line[strlen(line)-1] = 0; /* Chop the LF. */
130
153
/* Allow for empty lines and spaces */
131
154
for (p=line; spacep (p); p++)
134
while (!*p || *p == '\n' || *p == '#');
156
if (!*p || *p == '#')
136
for (i=j=0; (p[i] == ':' || hexdigitp (p+i)) && j < 40; i++)
138
key[j++] = p[i] >= 'a'? (p[i] & 0xdf): p[i];
140
if (j!=40 || !(spacep (p+i) || p[i] == '\n'))
142
log_error ("invalid formatted fingerprint in trustlist\n");
143
return gpg_error (GPG_ERR_BAD_DATA);
151
if ( p[i] == 'P' || p[i] == 'p')
153
else if ( p[i] == 'S' || p[i] == 's')
155
else if ( p[i] == '*')
159
log_error ("invalid keyflag in trustlist\n");
160
return gpg_error (GPG_ERR_BAD_DATA);
163
if ( !(spacep (p+i) || p[i] == '\n'))
165
log_error ("invalid keyflag in trustlist\n");
166
return gpg_error (GPG_ERR_BAD_DATA);
159
if (!strncmp (p, "include-default", 15)
160
&& (!p[15] || spacep (p+15)))
167
log_error (_("statement \"%s\" ignored in `%s', line %d\n"),
168
"include-default", fname, lnr);
171
/* fixme: Should check for trailing garbage. */
173
etcname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
174
if ( !strcmp (etcname, fname) ) /* Same file. */
175
log_info (_("statement \"%s\" ignored in `%s', line %d\n"),
176
"include-default", fname, lnr);
177
else if ( access (etcname, F_OK) && errno == ENOENT )
179
/* A non existent system trustlist is not an error.
180
Just print a note. */
181
log_info (_("system trustlist `%s' not available\n"), etcname);
185
err2 = read_one_trustfile (etcname, 0,
186
&table, &tablesize, &tableidx);
195
if (tableidx == tablesize) /* Need more space. */
200
tmplen = tablesize + 20;
201
tmp = xtryrealloc (table, tmplen * sizeof *table);
204
err = gpg_error_from_syserror ();
211
ti = table + tableidx;
213
n = hexcolon2bin (p, ti->fpr, 20);
216
log_error (_("bad fingerprint in `%s', line %d\n"), fname, lnr);
217
err = gpg_error (GPG_ERR_BAD_DATA);
221
for (; spacep (p); p++)
224
memset (&ti->flags, 0, sizeof ti->flags);
225
/* Process the first flag which needs to be the first for
226
backward compatibility. */
227
if (!*p || *p == '*' )
229
ti->flags.for_smime = 1;
230
ti->flags.for_pgp = 1;
232
else if ( *p == 'P' || *p == 'p')
234
ti->flags.for_pgp = 1;
236
else if ( *p == 'S' || *p == 's')
238
ti->flags.for_smime = 1;
242
log_error (_("invalid keyflag in `%s', line %d\n"), fname, lnr);
243
err = gpg_error (GPG_ERR_BAD_DATA);
247
if ( *p && !spacep (p) )
249
log_error (_("invalid keyflag in `%s', line %d\n"), fname, lnr);
250
err = gpg_error (GPG_ERR_BAD_DATA);
254
/* Now check for more key-value pairs of the form NAME[=VALUE]. */
257
for (; spacep (p); p++)
261
n = strcspn (p, "= \t");
264
log_error ("assigning a value to a flag is not yet supported; "
265
"in `%s', line %d\n", fname, lnr);
266
err = gpg_error (GPG_ERR_BAD_DATA);
269
else if (n == 5 && !memcmp (p, "relax", 5))
271
else if (n == 2 && !memcmp (p, "cm", 2))
274
log_error ("flag `%.*s' in `%s', line %d ignored\n",
280
if ( !err && !feof (fp) )
282
err = gpg_error_from_syserror ();
283
log_error (_("error reading `%s', line %d: %s\n"),
284
fname, lnr, gpg_strerror (err));
290
*addr_of_table = table;
291
*addr_of_tablesize = tablesize;
292
*addr_of_tableidx = tableidx;
297
/* Read the trust files and update the global table on success. */
299
read_trustfiles (void)
302
trustitem_t *table, *ti;
306
int allow_include = 1;
309
table = xtrycalloc (tablesize, sizeof *table);
311
return gpg_error_from_syserror ();
314
fname = make_filename (opt.homedir, "trustlist.txt", NULL);
315
if ( access (fname, F_OK) )
317
if ( errno == ENOENT )
318
; /* Silently ignore a non-existing trustfile. */
321
err = gpg_error_from_syserror ();
322
log_error (_("error opening `%s': %s\n"), fname, gpg_strerror (err));
325
fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
328
err = read_one_trustfile (fname, allow_include,
329
&table, &tablesize, &tableidx);
335
if (gpg_err_code (err) == GPG_ERR_ENOENT)
337
/* Take a missing trustlist as an empty one. */
342
unlock_trusttable ();
348
/* Fixme: we should drop duplicates and sort the table. */
349
ti = xtryrealloc (table, (tableidx?tableidx:1) * sizeof *table);
359
trusttablesize = tableidx;
360
unlock_trusttable ();
173
366
/* Check whether the given fpr is in our trustdb. We expect FPR to be
174
367
an all uppercase hexstring of 40 characters. */
176
agent_istrusted (const char *fpr)
369
agent_istrusted (ctrl_t ctrl, const char *fpr)
185
while (!(rc=read_list (key, &keyflag)))
374
unsigned char fprbin[20];
376
if ( hexcolon2bin (fpr, fprbin, 20) < 0 )
377
return gpg_error (GPG_ERR_INV_VALUE);
187
if (!strcmp (key, fpr))
381
err = read_trustfiles ();
384
log_error (_("error reading list of trusted root certificates\n"));
195
/* Error in the trustdb - close it to give the user a chance for
391
for (ti=trusttable, len = trusttablesize; len; ti++, len--)
392
if (!memcmp (ti->fpr, fprbin, 20))
396
err = agent_write_status (ctrl,
397
"TRUSTLISTFLAG", "relax",
402
else if (ti->flags.cm)
404
err = agent_write_status (ctrl,
405
"TRUSTLISTFLAG", "cm",
410
return 0; /* Trusted. */
413
return gpg_error (GPG_ERR_NOT_TRUSTED);
206
417
/* Write all trust entries to FP. */
208
419
agent_listtrusted (void *assuan_context)
217
while (!(rc=read_list (key, &keyflag)))
222
assuan_send_data (assuan_context, key, 43);
223
assuan_send_data (assuan_context, NULL, 0); /* flush */
229
/* Error in the trustdb - close it to give the user a chance for
428
err = read_trustfiles ();
431
log_error (_("error reading list of trusted root certificates\n"));
438
/* We need to lock the table because the scheduler may interrupt
439
assuan_send_data and an other thread may then re-read the table. */
441
for (ti=trusttable, len = trusttablesize; len; ti++, len--)
443
bin2hex (ti->fpr, 20, key);
445
key[41] = ((ti->flags.for_smime && ti->flags.for_pgp)? '*'
446
: ti->flags.for_smime? 'S': ti->flags.for_pgp? 'P':' ');
448
assuan_send_data (assuan_context, key, 43);
449
assuan_send_data (assuan_context, NULL, 0); /* flush */
451
unlock_trusttable ();
458
/* Create a copy of string with colons inserted after each two bytes.
459
Caller needs to release the string. In case of a memory failure,
462
insert_colons (const char *string)
465
size_t n = strlen (string);
467
p = buffer = xtrymalloc ( n + (n+2)/3 + 1 );
240
486
/* Insert the given fpr into our trustdb. We expect FPR to be an all
241
487
uppercase hexstring of 40 characters. FLAG is either 'P' or 'C'.
242
This function does first check whether that key has alreay been put
488
This function does first check whether that key has already been put
243
489
into the trustdb and returns success in this case. Before a FPR
244
actually gets inserted, the user is asked by means of the pin-entry
245
whether this is actual wants he want to do.
248
agent_marktrusted (CTRL ctrl, const char *name, const char *fpr, int flag)
490
actually gets inserted, the user is asked by means of the Pinentry
491
whether this is actual wants he want to do. */
493
agent_marktrusted (ctrl_t ctrl, const char *name, const char *fpr, int flag)
256
502
/* Check whether we are at all allowed to modify the trustlist.
257
503
This is useful so that the trustlist may be a symlink to a global
258
504
trustlist with only admin priviliges to modify it. Of course
259
505
this is not a secure way of denying access, but it avoids the
260
usual clicking on an Okay buttun thing most users are used to. */
506
usual clicking on an Okay button most users are used to. */
261
507
fname = make_filename (opt.homedir, "trustlist.txt", NULL);
262
rc = access (fname, W_OK);
263
if (rc && errno != ENOENT)
508
if ( access (fname, W_OK) && errno != ENOENT)
266
511
return gpg_error (GPG_ERR_EPERM);
273
while (!(rc=read_list (key, &keyflag)))
275
if (!strcmp (key, fpr))
284
return rc; /* Error in the trustlist. */
515
if (!agent_istrusted (ctrl, fpr))
517
return 0; /* We already got this fingerprint. Silently return
287
521
/* This feature must explicitly been enabled. */
288
522
if (!opt.allow_mark_trusted)
291
return gpg_error (GPG_ERR_NOT_SUPPORTED);
523
return gpg_error (GPG_ERR_NOT_SUPPORTED);
294
525
/* Insert a new one. */
526
fprformatted = insert_colons (fpr);
528
return out_of_core ();
295
529
if (asprintf (&desc,
296
530
/* TRANSLATORS: This prompt is shown by the Pinentry
297
531
and has one special property: A "%%0A" is used by
336
576
"to correctly certify user certificates?"),
579
xfree (fprformatted);
340
580
return out_of_core ();
342
rc = agent_get_confirmation (ctrl, desc, _("Yes"), _("No"));
583
err = agent_get_confirmation (ctrl, desc, _("Yes"), _("No"));
350
/* Now check again to avoid duplicates. Also open in append mode now. */
358
while (!(rc=read_list (key, &keyflag)))
360
if (!strcmp (key, fpr))
587
xfree (fprformatted);
591
/* Now check again to avoid duplicates. We take the lock to make
592
sure that nobody else plays with our file. Frankly we don't work
593
with the trusttable but using this lock is just fine for our
596
if (!agent_istrusted (ctrl, fpr))
598
unlock_trusttable ();
599
xfree (fprformatted);
604
fname = make_filename (opt.homedir, "trustlist.txt", NULL);
605
if ( access (fname, F_OK) && errno == ENOENT)
607
fp = fopen (fname, "wx"); /* Warning: "x" is a GNU extension. */
610
err = gpg_error_from_syserror ();
611
log_error ("can't create `%s': %s\n", fname, gpg_strerror (err));
613
unlock_trusttable ();
614
xfree (fprformatted);
617
fputs (headerblurb, fp);
620
fp = fopen (fname, "a+");
372
return rc; /* Error in the trustlist. */
623
err = gpg_error_from_syserror ();
624
log_error ("can't open `%s': %s\n", fname, gpg_strerror (err));
626
unlock_trusttable ();
627
xfree (fprformatted);
376
631
/* Append the key. */
378
fputs ("\n# ", trustfp);
379
print_sanitized_string (trustfp, name, 0);
380
fprintf (trustfp, "\n%s %c\n", fpr, flag);
381
if (ferror (trustfp))
382
rc = gpg_error (gpg_err_code_from_errno (errno));
633
print_sanitized_string (fp, name, 0);
634
fprintf (fp, "\n%s %c\n", fprformatted, flag);
636
err = gpg_error_from_syserror ();
384
/* close because we are in append mode */
385
if (fclose (trustfp))
386
rc = gpg_error (gpg_err_code_from_errno (errno));
394
agent_trustlist_housekeeping (void)
396
if (reload_trustlist_pending && !trustfp_used)
403
reload_trustlist_pending = 0;
408
/* Not all editors are editing files in place, thus a changes
409
trustlist.txt won't be recognozed if we keep the file descriptor
410
open. This function may be used to explicitly close that file
411
descriptor, which will force a reopen in turn. */
639
err = gpg_error_from_syserror ();
642
agent_reload_trustlist ();
644
unlock_trusttable ();
645
xfree (fprformatted);
650
/* This function may be called to force reloading of the
413
653
agent_reload_trustlist (void)
415
reload_trustlist_pending = 1;
416
agent_trustlist_housekeeping ();
655
/* All we need to do is to delete the trusttable. At the next
656
access it will get re-read. */
661
unlock_trusttable ();
662
bump_key_eventcounter ();