~ubuntu-branches/ubuntu/vivid/gnupg2/vivid-proposed
» Revision
28
: .pc/fix_751266.patch/g10/trustdb.c
« back to all changes in this revision
Viewing changes to .pc/fix_751266.patch/g10/trustdb.c
- browse files at revision 28
- compare with another revision
- download diff
- download tarball
- view history from revision 28
- Committer: Package Import Robot
- Author(s): Marc Deslauriers
- Date: 2014-10-30 15:32:48 UTC
- mfrom: (14.1.17 sid)
- Revision ID: package-import@ubuntu.com-20141030153248-yzgwg8613ms7hrrz
Tags: 2.0.26-3ubuntu1
* Merge from Debian, remaining changes:
- Drop sh prefix from openpgp test environment as it leads to exec
invocations of sh /bin/bash leading to syntax errors from sh. Fixes
FTBFS detected in Ubuntu saucy archive rebuild.
- Add udev rules to give gpg access to some smartcard readers;
Debian #543217.
- debian/gnupg2.udev: udev rules to set ACLs on SCM smartcard readers.
- Add upstart user job for gpg-agent.
- debian/control: drop dirmngr to Suggests as it is in universe.
- Drop sh prefix from openpgp test environment as it leads to exec
invocations of sh /bin/bash leading to syntax errors from sh. Fixes
FTBFS detected in Ubuntu saucy archive rebuild.
- Add udev rules to give gpg access to some smartcard readers;
Debian #543217.
- debian/gnupg2.udev: udev rules to set ACLs on SCM smartcard readers.
- Add upstart user job for gpg-agent.
- debian/control: drop dirmngr to Suggests as it is in universe.
- files added:
- .pc/0001-warn-about-but-don-t-fail-on-scdaemon-options-in-gpg.patch
- .pc/0001-warn-about-but-don-t-fail-on-scdaemon-options-in-gpg.patch/g10
- .pc/fix_751266.patch
- .pc/fix_751266.patch/g10
- .pc/fix_760273.patch
- .pc/fix_760273.patch/doc
- files modified:
- .pc/01-gnupg2-rename.diff/configure.ac
added
removed
.pc/fix_751266.patch/g10/trustdb.c
1
/* trustdb.c
2
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
3
* 2008, 2012 Free Software Foundation, Inc.
4
*
5
* This file is part of GnuPG.
6
*
7
* GnuPG is free software; you can redistribute it and/or modify
8
* it under the terms of the GNU General Public License as published by
9
* the Free Software Foundation; either version 3 of the License, or
10
* (at your option) any later version.
11
*
12
* GnuPG is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU General Public License for more details.
16
*
17
* You should have received a copy of the GNU General Public License
18
* along with this program; if not, see <http://www.gnu.org/licenses/>.
19
*/
20
21
#include <config.h>
22
#include <stdio.h>
23
#include <stdlib.h>
24
#include <string.h>
25
#include <assert.h>
26
27
#ifndef DISABLE_REGEX
28
#include <sys/types.h>
29
#include <regex.h>
30
#endif /* !DISABLE_REGEX */
31
32
#include "gpg.h"
33
#include "status.h"
34
#include "iobuf.h"
35
#include "keydb.h"
36
#include "util.h"
37
#include "options.h"
38
#include "packet.h"
39
#include "main.h"
40
#include "i18n.h"
41
#include "tdbio.h"
42
#include "trustdb.h"
43
44
45
/*
46
* A structure to store key identification as well as some stuff needed
47
* for validation
48
*/
49
struct key_item {
50
struct key_item *next;
51
unsigned int ownertrust,min_ownertrust;
52
byte trust_depth;
53
byte trust_value;
54
char *trust_regexp;
55
u32 kid[2];
56
};
57
58
59
typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */
60
61
/*
62
* Structure to keep track of keys, this is used as an array wherre
63
* the item right after the last one has a keyblock set to NULL.
64
* Maybe we can drop this thing and replace it by key_item
65
*/
66
struct key_array {
67
KBNODE keyblock;
68
};
69
70
71
/* control information for the trust DB */
72
static struct {
73
int init;
74
int level;
75
char *dbname;
76
int no_trustdb; /* Set if a trustdb file is not available. */
77
} trustdb_args;
78
79
/* some globals */
80
static struct key_item *user_utk_list; /* temp. used to store --trusted-keys */
81
static struct key_item *utk_list; /* all ultimately trusted keys */
82
83
static int pending_check_trustdb;
84
85
static int validate_keys (int interactive);
86
87
88
/**********************************************
89
************* some helpers *******************
90
**********************************************/
91
92
static struct key_item *
93
new_key_item (void)
94
{
95
struct key_item *k;
96
97
k = xmalloc_clear (sizeof *k);
98
return k;
99
}
100
101
static void
102
release_key_items (struct key_item *k)
103
{
104
struct key_item *k2;
105
106
for (; k; k = k2)
107
{
108
k2 = k->next;
109
xfree (k->trust_regexp);
110
xfree (k);
111
}
112
}
113
114
/*
115
* For fast keylook up we need a hash table. Each byte of a KeyIDs
116
* should be distributed equally over the 256 possible values (except
117
* for v3 keyIDs but we consider them as not important here). So we
118
* can just use 10 bits to index a table of 1024 key items.
119
* Possible optimization: Don not use key_items but other hash_table when the
120
* duplicates lists gets too large.
121
*/
122
static KeyHashTable
123
new_key_hash_table (void)
124
{
125
struct key_item **tbl;
126
127
tbl = xmalloc_clear (1024 * sizeof *tbl);
128
return tbl;
129
}
130
131
static void
132
release_key_hash_table (KeyHashTable tbl)
133
{
134
int i;
135
136
if (!tbl)
137
return;
138
for (i=0; i < 1024; i++)
139
release_key_items (tbl[i]);
140
xfree (tbl);
141
}
142
143
/*
144
* Returns: True if the keyID is in the given hash table
145
*/
146
static int
147
test_key_hash_table (KeyHashTable tbl, u32 *kid)
148
{
149
struct key_item *k;
150
151
for (k = tbl[(kid[1] & 0x03ff)]; k; k = k->next)
152
if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
153
return 1;
154
return 0;
155
}
156
157
/*
158
* Add a new key to the hash table. The key is identified by its key ID.
159
*/
160
static void
161
add_key_hash_table (KeyHashTable tbl, u32 *kid)
162
{
163
struct key_item *k, *kk;
164
165
for (k = tbl[(kid[1] & 0x03ff)]; k; k = k->next)
166
if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
167
return; /* already in table */
168
169
kk = new_key_item ();
170
kk->kid[0] = kid[0];
171
kk->kid[1] = kid[1];
172
kk->next = tbl[(kid[1] & 0x03ff)];
173
tbl[(kid[1] & 0x03ff)] = kk;
174
}
175
176
/*
177
* Release a key_array
178
*/
179
static void
180
release_key_array ( struct key_array *keys )
181
{
182
struct key_array *k;
183
184
if (keys) {
185
for (k=keys; k->keyblock; k++)
186
release_kbnode (k->keyblock);
187
xfree (keys);
188
}
189
}
190
191
192
/*********************************************
193
********** Initialization *****************
194
*********************************************/
195
196
197
198
/*
199
* Used to register extra ultimately trusted keys - this has to be done
200
* before initializing the validation module.
201
* FIXME: Should be replaced by a function to add those keys to the trustdb.
202
*/
203
void
204
register_trusted_keyid(u32 *keyid)
205
{
206
struct key_item *k;
207
208
k = new_key_item ();
209
k->kid[0] = keyid[0];
210
k->kid[1] = keyid[1];
211
k->next = user_utk_list;
212
user_utk_list = k;
213
}
214
215
void
216
register_trusted_key( const char *string )
217
{
218
KEYDB_SEARCH_DESC desc;
219
220
if (classify_user_id (string, &desc) != KEYDB_SEARCH_MODE_LONG_KID )
221
{
222
log_error(_("`%s' is not a valid long keyID\n"), string );
223
return;
224
}
225
226
register_trusted_keyid(desc.u.kid);
227
}
228
229
/*
230
* Helper to add a key to the global list of ultimately trusted keys.
231
* Retruns: true = inserted, false = already in in list.
232
*/
233
static int
234
add_utk (u32 *kid)
235
{
236
struct key_item *k;
237
238
for (k = utk_list; k; k = k->next)
239
{
240
if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
241
{
242
return 0;
243
}
244
}
245
246
k = new_key_item ();
247
k->kid[0] = kid[0];
248
k->kid[1] = kid[1];
249
k->ownertrust = TRUST_ULTIMATE;
250
k->next = utk_list;
251
utk_list = k;
252
if( opt.verbose > 1 )
253
log_info(_("key %s: accepted as trusted key\n"), keystr(kid));
254
return 1;
255
}
256
257
258
/****************
259
* Verify that all our secret keys are usable and put them into the utk_list.
260
*/
261
static void
262
verify_own_keys(void)
263
{
264
TRUSTREC rec;
265
ulong recnum;
266
int rc;
267
struct key_item *k;
268
269
if (utk_list)
270
return;
271
272
/* scan the trustdb to find all ultimately trusted keys */
273
for (recnum=1; !tdbio_read_record (recnum, &rec, 0); recnum++ )
274
{
275
if ( rec.rectype == RECTYPE_TRUST
276
&& (rec.r.trust.ownertrust & TRUST_MASK) == TRUST_ULTIMATE)
277
{
278
byte *fpr = rec.r.trust.fingerprint;
279
int fprlen;
280
u32 kid[2];
281
282
/* Problem: We do only use fingerprints in the trustdb but
283
* we need the keyID here to indetify the key; we can only
284
* use that ugly hack to distinguish between 16 and 20
285
* butes fpr - it does not work always so we better change
286
* the whole validation code to only work with
287
* fingerprints */
288
fprlen = (!fpr[16] && !fpr[17] && !fpr[18] && !fpr[19])? 16:20;
289
keyid_from_fingerprint (fpr, fprlen, kid);
290
if (!add_utk (kid))
291
log_info(_("key %s occurs more than once in the trustdb\n"),
292
keystr(kid));
293
}
294
}
295
296
/* Put any --trusted-key keys into the trustdb */
297
for (k = user_utk_list; k; k = k->next)
298
{
299
if ( add_utk (k->kid) )
300
{ /* not yet in trustDB as ultimately trusted */
301
PKT_public_key pk;
302
303
memset (&pk, 0, sizeof pk);
304
rc = get_pubkey (&pk, k->kid);
305
if (rc)
306
log_info(_("key %s: no public key for trusted key - skipped\n"),
307
keystr(k->kid));
308
else
309
{
310
update_ownertrust (&pk,
311
((get_ownertrust (&pk) & ~TRUST_MASK)
312
| TRUST_ULTIMATE ));
313
release_public_key_parts (&pk);
314
}
315
316
log_info (_("key %s marked as ultimately trusted\n"),keystr(k->kid));
317
}
318
}
319
320
/* release the helper table table */
321
release_key_items (user_utk_list);
322
user_utk_list = NULL;
323
return;
324
}
325
326
327
/*********************************************
328
*********** TrustDB stuff *******************
329
*********************************************/
330
331
/*
332
* Read a record but die if it does not exist
333
*/
334
static void
335
read_record (ulong recno, TRUSTREC *rec, int rectype )
336
{
337
int rc = tdbio_read_record (recno, rec, rectype);
338
if (rc)
339
{
340
log_error(_("trust record %lu, req type %d: read failed: %s\n"),
341
recno, rec->rectype, g10_errstr(rc) );
342
tdbio_invalid();
343
}
344
if (rectype != rec->rectype)
345
{
346
log_error(_("trust record %lu is not of requested type %d\n"),
347
rec->recnum, rectype);
348
tdbio_invalid();
349
}
350
}
351
352
/*
353
* Write a record and die on error
354
*/
355
static void
356
write_record (TRUSTREC *rec)
357
{
358
int rc = tdbio_write_record (rec);
359
if (rc)
360
{
361
log_error(_("trust record %lu, type %d: write failed: %s\n"),
362
rec->recnum, rec->rectype, g10_errstr(rc) );
363
tdbio_invalid();
364
}
365
}
366
367
/*
368
* sync the TrustDb and die on error
369
*/
370
static void
371
do_sync(void)
372
{
373
int rc = tdbio_sync ();
374
if(rc)
375
{
376
log_error (_("trustdb: sync failed: %s\n"), g10_errstr(rc) );
377
g10_exit(2);
378
}
379
}
380
381
static const char *
382
trust_model_string(void)
383
{
384
switch(opt.trust_model)
385
{
386
case TM_CLASSIC: return "classic";
387
case TM_PGP: return "PGP";
388
case TM_EXTERNAL: return "external";
389
case TM_ALWAYS: return "always";
390
case TM_DIRECT: return "direct";
391
default: return "unknown";
392
}
393
}
394
395
/****************
396
* Perform some checks over the trustdb
397
* level 0: only open the db
398
* 1: used for initial program startup
399
*/
400
int
401
setup_trustdb( int level, const char *dbname )
402
{
403
/* just store the args */
404
if( trustdb_args.init )
405
return 0;
406
trustdb_args.level = level;
407
trustdb_args.dbname = dbname? xstrdup(dbname): NULL;
408
return 0;
409
}
410
411
void
412
how_to_fix_the_trustdb ()
413
{
414
const char *name = trustdb_args.dbname;
415
416
if (!name)
417
name = "trustdb.gpg";
418
419
log_info (_("You may try to re-create the trustdb using the commands:\n"));
420
log_info (" cd %s\n", default_homedir ());
421
log_info (" gpg2 --export-ownertrust > otrust.tmp\n");
422
#ifdef HAVE_W32_SYSTEM
423
log_info (" del %s\n", name);
424
#else
425
log_info (" rm %s\n", name);
426
#endif
427
log_info (" gpg2 --import-ownertrust < otrust.tmp\n");
428
log_info (_("If that does not work, please consult the manual\n"));
429
}
430
431
432
void
433
init_trustdb()
434
{
435
int level = trustdb_args.level;
436
const char* dbname = trustdb_args.dbname;
437
438
if( trustdb_args.init )
439
return;
440
441
trustdb_args.init = 1;
442
443
if(level==0 || level==1)
444
{
445
int rc = tdbio_set_dbname (dbname, !!level, &trustdb_args.no_trustdb);
446
if( rc )
447
log_fatal("can't init trustdb: %s\n", g10_errstr(rc) );
448
}
449
else
450
BUG();
451
452
if(opt.trust_model==TM_AUTO)
453
{
454
/* Try and set the trust model off of whatever the trustdb says
455
it is. */
456
opt.trust_model=tdbio_read_model();
457
458
/* Sanity check this ;) */
459
if(opt.trust_model!=TM_CLASSIC
460
&& opt.trust_model!=TM_PGP
461
&& opt.trust_model!=TM_EXTERNAL)
462
{
463
log_info(_("unable to use unknown trust model (%d) - "
464
"assuming %s trust model\n"),opt.trust_model,"PGP");
465
opt.trust_model=TM_PGP;
466
}
467
468
if(opt.verbose)
469
log_info(_("using %s trust model\n"),trust_model_string());
470
}
471
472
if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
473
{
474
/* Verify the list of ultimately trusted keys and move the
475
--trusted-keys list there as well. */
476
if(level==1)
477
verify_own_keys();
478
479
if(!tdbio_db_matches_options())
480
pending_check_trustdb=1;
481
}
482
}
483
484
485
/***********************************************
486
************* Print helpers ****************
487
***********************************************/
488
489
/****************
490
* This function returns a letter for a trustvalue Trust flags
491
* are ignore.
492
*/
493
static int
494
trust_letter (unsigned int value)
495
{
496
switch( (value & TRUST_MASK) )
497
{
498
case TRUST_UNKNOWN: return '-';
499
case TRUST_EXPIRED: return 'e';
500
case TRUST_UNDEFINED: return 'q';
501
case TRUST_NEVER: return 'n';
502
case TRUST_MARGINAL: return 'm';
503
case TRUST_FULLY: return 'f';
504
case TRUST_ULTIMATE: return 'u';
505
default: return '?';
506
}
507
}
508
509
const char *
510
uid_trust_string_fixed(PKT_public_key *key,PKT_user_id *uid)
511
{
512
if(!key && !uid)
513
/* TRANSLATORS: these strings are similar to those in
514
trust_value_to_string(), but are a fixed length. This is needed to
515
make attractive information listings where columns line up
516
properly. The value "10" should be the length of the strings you
517
choose to translate to. This is the length in printable columns.
518
It gets passed to atoi() so everything after the number is
519
essentially a comment and need not be translated. Either key and
520
uid are both NULL, or neither are NULL. */
521
return _("10 translator see trustdb.c:uid_trust_string_fixed");
522
else if(uid->is_revoked || (key && key->is_revoked))
523
return _("[ revoked]");
524
else if(uid->is_expired)
525
return _("[ expired]");
526
else if(key)
527
switch(get_validity(key,uid)&TRUST_MASK)
528
{
529
case TRUST_UNKNOWN: return _("[ unknown]");
530
case TRUST_EXPIRED: return _("[ expired]");
531
case TRUST_UNDEFINED: return _("[ undef ]");
532
case TRUST_MARGINAL: return _("[marginal]");
533
case TRUST_FULLY: return _("[ full ]");
534
case TRUST_ULTIMATE: return _("[ultimate]");
535
}
536
537
return "err";
538
}
539
540
/* The strings here are similar to those in
541
pkclist.c:do_edit_ownertrust() */
542
const char *
543
trust_value_to_string (unsigned int value)
544
{
545
switch( (value & TRUST_MASK) )
546
{
547
case TRUST_UNKNOWN: return _("unknown");
548
case TRUST_EXPIRED: return _("expired");
549
case TRUST_UNDEFINED: return _("undefined");
550
case TRUST_NEVER: return _("never");
551
case TRUST_MARGINAL: return _("marginal");
552
case TRUST_FULLY: return _("full");
553
case TRUST_ULTIMATE: return _("ultimate");
554
default: return "err";
555
}
556
}
557
558
int
559
string_to_trust_value (const char *str)
560
{
561
if(ascii_strcasecmp(str,"undefined")==0)
562
return TRUST_UNDEFINED;
563
else if(ascii_strcasecmp(str,"never")==0)
564
return TRUST_NEVER;
565
else if(ascii_strcasecmp(str,"marginal")==0)
566
return TRUST_MARGINAL;
567
else if(ascii_strcasecmp(str,"full")==0)
568
return TRUST_FULLY;
569
else if(ascii_strcasecmp(str,"ultimate")==0)
570
return TRUST_ULTIMATE;
571
else
572
return -1;
573
}
574
575
/****************
576
* Recreate the WoT but do not ask for new ownertrusts. Special
577
* feature: In batch mode and without a forced yes, this is only done
578
* when a check is due. This can be used to run the check from a crontab
579
*/
580
void
581
check_trustdb ()
582
{
583
init_trustdb();
584
if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
585
{
586
if (opt.batch && !opt.answer_yes)
587
{
588
ulong scheduled;
589
590
scheduled = tdbio_read_nextcheck ();
591
if (!scheduled)
592
{
593
log_info (_("no need for a trustdb check\n"));
594
return;
595
}
596
597
if (scheduled > make_timestamp ())
598
{
599
log_info (_("next trustdb check due at %s\n"),
600
strtimestamp (scheduled));
601
return;
602
}
603
}
604
605
validate_keys (0);
606
}
607
else
608
log_info (_("no need for a trustdb check with `%s' trust model\n"),
609
trust_model_string());
610
}
611
612
613
/*
614
* Recreate the WoT.
615
*/
616
void
617
update_trustdb()
618
{
619
init_trustdb();
620
if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
621
validate_keys (1);
622
else
623
log_info (_("no need for a trustdb update with `%s' trust model\n"),
624
trust_model_string());
625
}
626
627
void
628
revalidation_mark (void)
629
{
630
init_trustdb();
631
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
632
return;
633
634
/* we simply set the time for the next check to 1 (far back in 1970)
635
* so that a --update-trustdb will be scheduled */
636
if (tdbio_write_nextcheck (1))
637
do_sync ();
638
pending_check_trustdb = 1;
639
}
640
641
int
642
trustdb_pending_check(void)
643
{
644
return pending_check_trustdb;
645
}
646
647
/* If the trustdb is dirty, and we're interactive, update it.
648
Otherwise, check it unless no-auto-check-trustdb is set. */
649
void
650
trustdb_check_or_update(void)
651
{
652
if(trustdb_pending_check())
653
{
654
if(opt.interactive)
655
update_trustdb();
656
else if(!opt.no_auto_check_trustdb)
657
check_trustdb();
658
}
659
}
660
661
void
662
read_trust_options(byte *trust_model,ulong *created,ulong *nextcheck,
663
byte *marginals,byte *completes,byte *cert_depth,
664
byte *min_cert_level)
665
{
666
TRUSTREC opts;
667
668
init_trustdb();
669
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
670
memset (&opts, 0, sizeof opts);
671
else
672
read_record(0,&opts,RECTYPE_VER);
673
674
if(trust_model)
675
*trust_model=opts.r.ver.trust_model;
676
if(created)
677
*created=opts.r.ver.created;
678
if(nextcheck)
679
*nextcheck=opts.r.ver.nextcheck;
680
if(marginals)
681
*marginals=opts.r.ver.marginals;
682
if(completes)
683
*completes=opts.r.ver.completes;
684
if(cert_depth)
685
*cert_depth=opts.r.ver.cert_depth;
686
if(min_cert_level)
687
*min_cert_level=opts.r.ver.min_cert_level;
688
}
689
690
/***********************************************
691
*********** Ownertrust et al. ****************
692
***********************************************/
693
694
static int
695
read_trust_record (PKT_public_key *pk, TRUSTREC *rec)
696
{
697
int rc;
698
699
init_trustdb();
700
rc = tdbio_search_trust_bypk (pk, rec);
701
if (rc == -1)
702
return -1; /* no record yet */
703
if (rc)
704
{
705
log_error ("trustdb: searching trust record failed: %s\n",
706
g10_errstr (rc));
707
return rc;
708
}
709
710
if (rec->rectype != RECTYPE_TRUST)
711
{
712
log_error ("trustdb: record %lu is not a trust record\n",
713
rec->recnum);
714
return G10ERR_TRUSTDB;
715
}
716
717
return 0;
718
}
719
720
/****************
721
* Return the assigned ownertrust value for the given public key.
722
* The key should be the primary key.
723
*/
724
unsigned int
725
get_ownertrust ( PKT_public_key *pk)
726
{
727
TRUSTREC rec;
728
int rc;
729
730
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
731
return TRUST_UNKNOWN;
732
733
rc = read_trust_record (pk, &rec);
734
if (rc == -1)
735
return TRUST_UNKNOWN; /* no record yet */
736
if (rc)
737
{
738
tdbio_invalid ();
739
return rc; /* actually never reached */
740
}
741
742
return rec.r.trust.ownertrust;
743
}
744
745
unsigned int
746
get_min_ownertrust (PKT_public_key *pk)
747
{
748
TRUSTREC rec;
749
int rc;
750
751
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
752
return TRUST_UNKNOWN;
753
754
rc = read_trust_record (pk, &rec);
755
if (rc == -1)
756
return TRUST_UNKNOWN; /* no record yet */
757
if (rc)
758
{
759
tdbio_invalid ();
760
return rc; /* actually never reached */
761
}
762
763
return rec.r.trust.min_ownertrust;
764
}
765
766
/*
767
* Same as get_ownertrust but this takes the minimum ownertrust value
768
* into into account, and will bump up the value as needed.
769
*/
770
static int
771
get_ownertrust_with_min (PKT_public_key *pk)
772
{
773
unsigned int otrust,otrust_min;
774
775
otrust = (get_ownertrust (pk) & TRUST_MASK);
776
otrust_min = get_min_ownertrust (pk);
777
if(otrust<otrust_min)
778
{
779
/* If the trust that the user has set is less than the trust
780
that was calculated from a trust signature chain, use the
781
higher of the two. We do this here and not in
782
get_ownertrust since the underlying ownertrust should not
783
really be set - just the appearance of the ownertrust. */
784
785
otrust=otrust_min;
786
}
787
788
return otrust;
789
}
790
791
/*
792
* Same as get_ownertrust but return a trust letter instead of an
793
* value. This takes the minimum ownertrust value into account.
794
*/
795
int
796
get_ownertrust_info (PKT_public_key *pk)
797
{
798
return trust_letter(get_ownertrust_with_min(pk));
799
}
800
801
/*
802
* Same as get_ownertrust but return a trust string instead of an
803
* value. This takes the minimum ownertrust value into account.
804
*/
805
const char *
806
get_ownertrust_string (PKT_public_key *pk)
807
{
808
return trust_value_to_string(get_ownertrust_with_min(pk));
809
}
810
811
/*
812
* Set the trust value of the given public key to the new value.
813
* The key should be a primary one.
814
*/
815
void
816
update_ownertrust (PKT_public_key *pk, unsigned int new_trust )
817
{
818
TRUSTREC rec;
819
int rc;
820
821
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
822
return;
823
824
rc = read_trust_record (pk, &rec);
825
if (!rc)
826
{
827
if (DBG_TRUST)
828
log_debug ("update ownertrust from %u to %u\n",
829
(unsigned int)rec.r.trust.ownertrust, new_trust );
830
if (rec.r.trust.ownertrust != new_trust)
831
{
832
rec.r.trust.ownertrust = new_trust;
833
write_record( &rec );
834
revalidation_mark ();
835
do_sync ();
836
}
837
}
838
else if (rc == -1)
839
{ /* no record yet - create a new one */
840
size_t dummy;
841
842
if (DBG_TRUST)
843
log_debug ("insert ownertrust %u\n", new_trust );
844
845
memset (&rec, 0, sizeof rec);
846
rec.recnum = tdbio_new_recnum ();
847
rec.rectype = RECTYPE_TRUST;
848
fingerprint_from_pk (pk, rec.r.trust.fingerprint, &dummy);
849
rec.r.trust.ownertrust = new_trust;
850
write_record (&rec);
851
revalidation_mark ();
852
do_sync ();
853
rc = 0;
854
}
855
else
856
{
857
tdbio_invalid ();
858
}
859
}
860
861
static void
862
update_min_ownertrust (u32 *kid, unsigned int new_trust )
863
{
864
PKT_public_key *pk;
865
TRUSTREC rec;
866
int rc;
867
868
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
869
return;
870
871
pk = xmalloc_clear (sizeof *pk);
872
rc = get_pubkey (pk, kid);
873
if (rc)
874
{
875
log_error(_("public key %s not found: %s\n"),keystr(kid),g10_errstr(rc));
876
return;
877
}
878
879
rc = read_trust_record (pk, &rec);
880
if (!rc)
881
{
882
if (DBG_TRUST)
883
log_debug ("key %08lX%08lX: update min_ownertrust from %u to %u\n",
884
(ulong)kid[0],(ulong)kid[1],
885
(unsigned int)rec.r.trust.min_ownertrust,
886
new_trust );
887
if (rec.r.trust.min_ownertrust != new_trust)
888
{
889
rec.r.trust.min_ownertrust = new_trust;
890
write_record( &rec );
891
revalidation_mark ();
892
do_sync ();
893
}
894
}
895
else if (rc == -1)
896
{ /* no record yet - create a new one */
897
size_t dummy;
898
899
if (DBG_TRUST)
900
log_debug ("insert min_ownertrust %u\n", new_trust );
901
902
memset (&rec, 0, sizeof rec);
903
rec.recnum = tdbio_new_recnum ();
904
rec.rectype = RECTYPE_TRUST;
905
fingerprint_from_pk (pk, rec.r.trust.fingerprint, &dummy);
906
rec.r.trust.min_ownertrust = new_trust;
907
write_record (&rec);
908
revalidation_mark ();
909
do_sync ();
910
rc = 0;
911
}
912
else
913
{
914
tdbio_invalid ();
915
}
916
}
917
918
/* Clear the ownertrust and min_ownertrust values. Return true if a
919
change actually happened. */
920
int
921
clear_ownertrusts (PKT_public_key *pk)
922
{
923
TRUSTREC rec;
924
int rc;
925
926
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
927
return 0;
928
929
rc = read_trust_record (pk, &rec);
930
if (!rc)
931
{
932
if (DBG_TRUST)
933
{
934
log_debug ("clearing ownertrust (old value %u)\n",
935
(unsigned int)rec.r.trust.ownertrust);
936
log_debug ("clearing min_ownertrust (old value %u)\n",
937
(unsigned int)rec.r.trust.min_ownertrust);
938
}
939
if (rec.r.trust.ownertrust || rec.r.trust.min_ownertrust)
940
{
941
rec.r.trust.ownertrust = 0;
942
rec.r.trust.min_ownertrust = 0;
943
write_record( &rec );
944
revalidation_mark ();
945
do_sync ();
946
return 1;
947
}
948
}
949
else if (rc != -1)
950
{
951
tdbio_invalid ();
952
}
953
return 0;
954
}
955
956
/*
957
* Note: Caller has to do a sync
958
*/
959
static void
960
update_validity (PKT_public_key *pk, PKT_user_id *uid,
961
int depth, int validity)
962
{
963
TRUSTREC trec, vrec;
964
int rc;
965
ulong recno;
966
967
namehash_from_uid(uid);
968
969
rc = read_trust_record (pk, &trec);
970
if (rc && rc != -1)
971
{
972
tdbio_invalid ();
973
return;
974
}
975
if (rc == -1) /* no record yet - create a new one */
976
{
977
size_t dummy;
978
979
rc = 0;
980
memset (&trec, 0, sizeof trec);
981
trec.recnum = tdbio_new_recnum ();
982
trec.rectype = RECTYPE_TRUST;
983
fingerprint_from_pk (pk, trec.r.trust.fingerprint, &dummy);
984
trec.r.trust.ownertrust = 0;
985
}
986
987
/* locate an existing one */
988
recno = trec.r.trust.validlist;
989
while (recno)
990
{
991
read_record (recno, &vrec, RECTYPE_VALID);
992
if ( !memcmp (vrec.r.valid.namehash, uid->namehash, 20) )
993
break;
994
recno = vrec.r.valid.next;
995
}
996
997
if (!recno) /* insert a new validity record */
998
{
999
memset (&vrec, 0, sizeof vrec);
1000
vrec.recnum = tdbio_new_recnum ();
1001
vrec.rectype = RECTYPE_VALID;
1002
memcpy (vrec.r.valid.namehash, uid->namehash, 20);
1003
vrec.r.valid.next = trec.r.trust.validlist;
1004
trec.r.trust.validlist = vrec.recnum;
1005
}
1006
vrec.r.valid.validity = validity;
1007
vrec.r.valid.full_count = uid->help_full_count;
1008
vrec.r.valid.marginal_count = uid->help_marginal_count;
1009
write_record (&vrec);
1010
trec.r.trust.depth = depth;
1011
write_record (&trec);
1012
}
1013
1014
1015
/***********************************************
1016
********* Query trustdb values **************
1017
***********************************************/
1018
1019
/* Return true if key is disabled */
1020
int
1021
cache_disabled_value(PKT_public_key *pk)
1022
{
1023
int rc;
1024
TRUSTREC trec;
1025
int disabled=0;
1026
1027
if(pk->is_disabled)
1028
return (pk->is_disabled==2);
1029
1030
init_trustdb();
1031
if (trustdb_args.no_trustdb)
1032
return 0; /* No trustdb => not disabled. */
1033
1034
rc = read_trust_record (pk, &trec);
1035
if (rc && rc != -1)
1036
{
1037
tdbio_invalid ();
1038
goto leave;
1039
}
1040
if (rc == -1) /* no record found, so assume not disabled */
1041
goto leave;
1042
1043
if(trec.r.trust.ownertrust & TRUST_FLAG_DISABLED)
1044
disabled=1;
1045
1046
/* Cache it for later so we don't need to look at the trustdb every
1047
time */
1048
if(disabled)
1049
pk->is_disabled=2;
1050
else
1051
pk->is_disabled=1;
1052
1053
leave:
1054
return disabled;
1055
}
1056
1057
void
1058
check_trustdb_stale(void)
1059
{
1060
static int did_nextcheck=0;
1061
1062
init_trustdb ();
1063
if (trustdb_args.no_trustdb)
1064
return; /* No trustdb => can't be stale. */
1065
1066
if (!did_nextcheck
1067
&& (opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC))
1068
{
1069
ulong scheduled;
1070
1071
did_nextcheck = 1;
1072
scheduled = tdbio_read_nextcheck ();
1073
if ((scheduled && scheduled <= make_timestamp ())
1074
|| pending_check_trustdb)
1075
{
1076
if (opt.no_auto_check_trustdb)
1077
{
1078
pending_check_trustdb = 1;
1079
log_info (_("please do a --check-trustdb\n"));
1080
}
1081
else
1082
{
1083
log_info (_("checking the trustdb\n"));
1084
validate_keys (0);
1085
}
1086
}
1087
}
1088
}
1089
1090
/*
1091
* Return the validity information for PK. If the namehash is not
1092
* NULL, the validity of the corresponsing user ID is returned,
1093
* otherwise, a reasonable value for the entire key is returned.
1094
*/
1095
unsigned int
1096
get_validity (PKT_public_key *pk, PKT_user_id *uid)
1097
{
1098
TRUSTREC trec, vrec;
1099
int rc;
1100
ulong recno;
1101
unsigned int validity;
1102
u32 kid[2];
1103
PKT_public_key *main_pk;
1104
1105
if(uid)
1106
namehash_from_uid(uid);
1107
1108
init_trustdb ();
1109
1110
/* If we have no trustdb (which also means it has not been created)
1111
and the trust-model is always, we don't know the validity -
1112
return immediately. If we won't do that the tdbio code would try
1113
to open the trustdb and run into a fatal error. */
1114
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
1115
return TRUST_UNKNOWN;
1116
1117
check_trustdb_stale();
1118
1119
keyid_from_pk (pk, kid);
1120
if (pk->main_keyid[0] != kid[0] || pk->main_keyid[1] != kid[1])
1121
{ /* this is a subkey - get the mainkey */
1122
main_pk = xmalloc_clear (sizeof *main_pk);
1123
rc = get_pubkey (main_pk, pk->main_keyid);
1124
if (rc)
1125
{
1126
char *tempkeystr=xstrdup(keystr(pk->main_keyid));
1127
log_error ("error getting main key %s of subkey %s: %s\n",
1128
tempkeystr, keystr(kid), g10_errstr(rc));
1129
xfree(tempkeystr);
1130
validity = TRUST_UNKNOWN;
1131
goto leave;
1132
}
1133
}
1134
else
1135
main_pk = pk;
1136
1137
if(opt.trust_model==TM_DIRECT)
1138
{
1139
/* Note that this happens BEFORE any user ID stuff is checked.
1140
The direct trust model applies to keys as a whole. */
1141
validity=get_ownertrust(main_pk);
1142
goto leave;
1143
}
1144
1145
rc = read_trust_record (main_pk, &trec);
1146
if (rc && rc != -1)
1147
{
1148
tdbio_invalid ();
1149
return 0;
1150
}
1151
if (rc == -1) /* no record found */
1152
{
1153
validity = TRUST_UNKNOWN;
1154
goto leave;
1155
}
1156
1157
/* loop over all user IDs */
1158
recno = trec.r.trust.validlist;
1159
validity = 0;
1160
while (recno)
1161
{
1162
read_record (recno, &vrec, RECTYPE_VALID);
1163
1164
if(uid)
1165
{
1166
/* If a user ID is given we return the validity for that
1167
user ID ONLY. If the namehash is not found, then there
1168
is no validity at all (i.e. the user ID wasn't
1169
signed). */
1170
if(memcmp(vrec.r.valid.namehash,uid->namehash,20)==0)
1171
{
1172
validity=(vrec.r.valid.validity & TRUST_MASK);
1173
break;
1174
}
1175
}
1176
else
1177
{
1178
/* If no namehash is given, we take the maximum validity
1179
over all user IDs */
1180
if ( validity < (vrec.r.valid.validity & TRUST_MASK) )
1181
validity = (vrec.r.valid.validity & TRUST_MASK);
1182
}
1183
1184
recno = vrec.r.valid.next;
1185
}
1186
1187
if ( (trec.r.trust.ownertrust & TRUST_FLAG_DISABLED) )
1188
{
1189
validity |= TRUST_FLAG_DISABLED;
1190
pk->is_disabled=2;
1191
}
1192
else
1193
pk->is_disabled=1;
1194
1195
leave:
1196
/* set some flags direct from the key */
1197
if (main_pk->is_revoked)
1198
validity |= TRUST_FLAG_REVOKED;
1199
if (main_pk != pk && pk->is_revoked)
1200
validity |= TRUST_FLAG_SUB_REVOKED;
1201
/* Note: expiration is a trust value and not a flag - don't know why
1202
* I initially designed it that way */
1203
if (main_pk->has_expired || pk->has_expired)
1204
validity = (validity & ~TRUST_MASK) | TRUST_EXPIRED;
1205
1206
if (pending_check_trustdb)
1207
validity |= TRUST_FLAG_PENDING_CHECK;
1208
1209
if (main_pk != pk)
1210
free_public_key (main_pk);
1211
return validity;
1212
}
1213
1214
int
1215
get_validity_info (PKT_public_key *pk, PKT_user_id *uid)
1216
{
1217
int trustlevel;
1218
1219
if (!pk)
1220
return '?'; /* Just in case a NULL PK is passed. */
1221
1222
trustlevel = get_validity (pk, uid);
1223
if ( (trustlevel & TRUST_FLAG_REVOKED) )
1224
return 'r';
1225
return trust_letter (trustlevel);
1226
}
1227
1228
const char *
1229
get_validity_string (PKT_public_key *pk, PKT_user_id *uid)
1230
{
1231
int trustlevel;
1232
1233
if (!pk)
1234
return "err"; /* Just in case a NULL PK is passed. */
1235
1236
trustlevel = get_validity (pk, uid);
1237
if( trustlevel & TRUST_FLAG_REVOKED )
1238
return _("revoked");
1239
return trust_value_to_string(trustlevel);
1240
}
1241
1242
static void
1243
get_validity_counts (PKT_public_key *pk, PKT_user_id *uid)
1244
{
1245
TRUSTREC trec, vrec;
1246
ulong recno;
1247
1248
if(pk==NULL || uid==NULL)
1249
BUG();
1250
1251
namehash_from_uid(uid);
1252
1253
uid->help_marginal_count=uid->help_full_count=0;
1254
1255
init_trustdb ();
1256
1257
if(read_trust_record (pk, &trec)!=0)
1258
return;
1259
1260
/* loop over all user IDs */
1261
recno = trec.r.trust.validlist;
1262
while (recno)
1263
{
1264
read_record (recno, &vrec, RECTYPE_VALID);
1265
1266
if(memcmp(vrec.r.valid.namehash,uid->namehash,20)==0)
1267
{
1268
uid->help_marginal_count=vrec.r.valid.marginal_count;
1269
uid->help_full_count=vrec.r.valid.full_count;
1270
/* printf("Fetched marginal %d, full %d\n",uid->help_marginal_count,uid->help_full_count); */
1271
break;
1272
}
1273
1274
recno = vrec.r.valid.next;
1275
}
1276
}
1277
1278
void
1279
list_trust_path( const char *username )
1280
{
1281
(void)username;
1282
}
1283
1284
/****************
1285
* Enumerate all keys, which are needed to build all trust paths for
1286
* the given key. This function does not return the key itself or
1287
* the ultimate key (the last point in cerificate chain). Only
1288
* certificate chains which ends up at an ultimately trusted key
1289
* are listed. If ownertrust or validity is not NULL, the corresponding
1290
* value for the returned LID is also returned in these variable(s).
1291
*
1292
* 1) create a void pointer and initialize it to NULL
1293
* 2) pass this void pointer by reference to this function.
1294
* Set lid to the key you want to enumerate and pass it by reference.
1295
* 3) call this function as long as it does not return -1
1296
* to indicate EOF. LID does contain the next key used to build the web
1297
* 4) Always call this function a last time with LID set to NULL,
1298
* so that it can free its context.
1299
*
1300
* Returns: -1 on EOF or the level of the returned LID
1301
*/
1302
int
1303
enum_cert_paths( void **context, ulong *lid,
1304
unsigned *ownertrust, unsigned *validity )
1305
{
1306
(void)context;
1307
(void)lid;
1308
(void)ownertrust;
1309
(void)validity;
1310
return -1;
1311
}
1312
1313
1314
/****************
1315
* Print the current path
1316
*/
1317
void
1318
enum_cert_paths_print (void **context, FILE *fp,
1319
int refresh, ulong selected_lid)
1320
{
1321
(void)context;
1322
(void)fp;
1323
(void)refresh;
1324
(void)selected_lid;
1325
}
1326
1327
1328
1329
/****************************************
1330
*********** NEW NEW NEW ****************
1331
****************************************/
1332
1333
static int
1334
ask_ownertrust (u32 *kid,int minimum)
1335
{
1336
PKT_public_key *pk;
1337
int rc;
1338
int ot;
1339
1340
pk = xmalloc_clear (sizeof *pk);
1341
rc = get_pubkey (pk, kid);
1342
if (rc)
1343
{
1344
log_error (_("public key %s not found: %s\n"),
1345
keystr(kid), g10_errstr(rc) );
1346
return TRUST_UNKNOWN;
1347
}
1348
1349
if(opt.force_ownertrust)
1350
{
1351
log_info("force trust for key %s to %s\n",
1352
keystr(kid),trust_value_to_string(opt.force_ownertrust));
1353
update_ownertrust(pk,opt.force_ownertrust);
1354
ot=opt.force_ownertrust;
1355
}
1356
else
1357
{
1358
ot=edit_ownertrust(pk,0);
1359
if(ot>0)
1360
ot = get_ownertrust (pk);
1361
else if(ot==0)
1362
ot = minimum?minimum:TRUST_UNDEFINED;
1363
else
1364
ot = -1; /* quit */
1365
}
1366
1367
free_public_key( pk );
1368
1369
return ot;
1370
}
1371
1372
1373
static void
1374
mark_keyblock_seen (KeyHashTable tbl, KBNODE node)
1375
{
1376
for ( ;node; node = node->next )
1377
if (node->pkt->pkttype == PKT_PUBLIC_KEY
1378
|| node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1379
{
1380
u32 aki[2];
1381
1382
keyid_from_pk (node->pkt->pkt.public_key, aki);
1383
add_key_hash_table (tbl, aki);
1384
}
1385
}
1386
1387
1388
static void
1389
dump_key_array (int depth, struct key_array *keys)
1390
{
1391
struct key_array *kar;
1392
1393
for (kar=keys; kar->keyblock; kar++)
1394
{
1395
KBNODE node = kar->keyblock;
1396
u32 kid[2];
1397
1398
keyid_from_pk(node->pkt->pkt.public_key, kid);
1399
printf ("%d:%08lX%08lX:K::%c::::\n",
1400
depth, (ulong)kid[0], (ulong)kid[1], '?');
1401
1402
for (; node; node = node->next)
1403
{
1404
if (node->pkt->pkttype == PKT_USER_ID)
1405
{
1406
int len = node->pkt->pkt.user_id->len;
1407
1408
if (len > 30)
1409
len = 30;
1410
printf ("%d:%08lX%08lX:U:::%c:::",
1411
depth, (ulong)kid[0], (ulong)kid[1],
1412
(node->flag & 4)? 'f':
1413
(node->flag & 2)? 'm':
1414
(node->flag & 1)? 'q':'-');
1415
print_string (stdout, node->pkt->pkt.user_id->name, len, ':');
1416
putchar (':');
1417
putchar ('\n');
1418
}
1419
}
1420
}
1421
}
1422
1423
1424
static void
1425
store_validation_status (int depth, KBNODE keyblock, KeyHashTable stored)
1426
{
1427
KBNODE node;
1428
int status;
1429
int any = 0;
1430
1431
for (node=keyblock; node; node = node->next)
1432
{
1433
if (node->pkt->pkttype == PKT_USER_ID)
1434
{
1435
PKT_user_id *uid = node->pkt->pkt.user_id;
1436
if (node->flag & 4)
1437
status = TRUST_FULLY;
1438
else if (node->flag & 2)
1439
status = TRUST_MARGINAL;
1440
else if (node->flag & 1)
1441
status = TRUST_UNDEFINED;
1442
else
1443
status = 0;
1444
1445
if (status)
1446
{
1447
update_validity (keyblock->pkt->pkt.public_key,
1448
uid, depth, status);
1449
1450
mark_keyblock_seen(stored,keyblock);
1451
1452
any = 1;
1453
}
1454
}
1455
}
1456
1457
if (any)
1458
do_sync ();
1459
}
1460
1461
/*
1462
* check whether the signature sig is in the klist k
1463
*/
1464
static struct key_item *
1465
is_in_klist (struct key_item *k, PKT_signature *sig)
1466
{
1467
for (; k; k = k->next)
1468
{
1469
if (k->kid[0] == sig->keyid[0] && k->kid[1] == sig->keyid[1])
1470
return k;
1471
}
1472
return NULL;
1473
}
1474
1475
/*
1476
* Mark the signature of the given UID which are used to certify it.
1477
* To do this, we first revmove all signatures which are not valid and
1478
* from the remain ones we look for the latest one. If this is not a
1479
* certification revocation signature we mark the signature by setting
1480
* node flag bit 8. Revocations are marked with flag 11, and sigs
1481
* from unavailable keys are marked with flag 12. Note that flag bits
1482
* 9 and 10 are used for internal purposes.
1483
*/
1484
static void
1485
mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
1486
u32 *main_kid, struct key_item *klist,
1487
u32 curtime, u32 *next_expire)
1488
{
1489
KBNODE node;
1490
PKT_signature *sig;
1491
1492
/* first check all signatures */
1493
for (node=uidnode->next; node; node = node->next)
1494
{
1495
int rc;
1496
1497
node->flag &= ~(1<<8 | 1<<9 | 1<<10 | 1<<11 | 1<<12);
1498
if (node->pkt->pkttype == PKT_USER_ID
1499
|| node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1500
break; /* ready */
1501
if (node->pkt->pkttype != PKT_SIGNATURE)
1502
continue;
1503
sig = node->pkt->pkt.signature;
1504
if (main_kid
1505
&& sig->keyid[0] == main_kid[0] && sig->keyid[1] == main_kid[1])
1506
continue; /* ignore self-signatures if we pass in a main_kid */
1507
if (!IS_UID_SIG(sig) && !IS_UID_REV(sig))
1508
continue; /* we only look at these signature classes */
1509
if(sig->sig_class>=0x11 && sig->sig_class<=0x13 &&
1510
sig->sig_class-0x10<opt.min_cert_level)
1511
continue; /* treat anything under our min_cert_level as an
1512
invalid signature */
1513
if (klist && !is_in_klist (klist, sig))
1514
continue; /* no need to check it then */
1515
if ((rc=check_key_signature (keyblock, node, NULL)))
1516
{
1517
/* we ignore anything that won't verify, but tag the
1518
no_pubkey case */
1519
if(rc==G10ERR_NO_PUBKEY)
1520
node->flag |= 1<<12;
1521
continue;
1522
}
1523
node->flag |= 1<<9;
1524
}
1525
/* reset the remaining flags */
1526
for (; node; node = node->next)
1527
node->flag &= ~(1<<8 | 1<<9 | 1<<10 | 1<<11 | 1<<12);
1528
1529
/* kbnode flag usage: bit 9 is here set for signatures to consider,
1530
* bit 10 will be set by the loop to keep track of keyIDs already
1531
* processed, bit 8 will be set for the usable signatures, and bit
1532
* 11 will be set for usable revocations. */
1533
1534
/* for each cert figure out the latest valid one */
1535
for (node=uidnode->next; node; node = node->next)
1536
{
1537
KBNODE n, signode;
1538
u32 kid[2];
1539
u32 sigdate;
1540
1541
if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1542
break;
1543
if ( !(node->flag & (1<<9)) )
1544
continue; /* not a node to look at */
1545
if ( (node->flag & (1<<10)) )
1546
continue; /* signature with a keyID already processed */
1547
node->flag |= (1<<10); /* mark this node as processed */
1548
sig = node->pkt->pkt.signature;
1549
signode = node;
1550
sigdate = sig->timestamp;
1551
kid[0] = sig->keyid[0]; kid[1] = sig->keyid[1];
1552
1553
/* Now find the latest and greatest signature */
1554
for (n=uidnode->next; n; n = n->next)
1555
{
1556
if (n->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1557
break;
1558
if ( !(n->flag & (1<<9)) )
1559
continue;
1560
if ( (n->flag & (1<<10)) )
1561
continue; /* shortcut already processed signatures */
1562
sig = n->pkt->pkt.signature;
1563
if (kid[0] != sig->keyid[0] || kid[1] != sig->keyid[1])
1564
continue;
1565
n->flag |= (1<<10); /* mark this node as processed */
1566
1567
/* If signode is nonrevocable and unexpired and n isn't,
1568
then take signode (skip). It doesn't matter which is
1569
older: if signode was older then we don't want to take n
1570
as signode is nonrevocable. If n was older then we're
1571
automatically fine. */
1572
1573
if(((IS_UID_SIG(signode->pkt->pkt.signature) &&
1574
!signode->pkt->pkt.signature->flags.revocable &&
1575
(signode->pkt->pkt.signature->expiredate==0 ||
1576
signode->pkt->pkt.signature->expiredate>curtime))) &&
1577
(!(IS_UID_SIG(n->pkt->pkt.signature) &&
1578
!n->pkt->pkt.signature->flags.revocable &&
1579
(n->pkt->pkt.signature->expiredate==0 ||
1580
n->pkt->pkt.signature->expiredate>curtime))))
1581
continue;
1582
1583
/* If n is nonrevocable and unexpired and signode isn't,
1584
then take n. Again, it doesn't matter which is older: if
1585
n was older then we don't want to take signode as n is
1586
nonrevocable. If signode was older then we're
1587
automatically fine. */
1588
1589
if((!(IS_UID_SIG(signode->pkt->pkt.signature) &&
1590
!signode->pkt->pkt.signature->flags.revocable &&
1591
(signode->pkt->pkt.signature->expiredate==0 ||
1592
signode->pkt->pkt.signature->expiredate>curtime))) &&
1593
((IS_UID_SIG(n->pkt->pkt.signature) &&
1594
!n->pkt->pkt.signature->flags.revocable &&
1595
(n->pkt->pkt.signature->expiredate==0 ||
1596
n->pkt->pkt.signature->expiredate>curtime))))
1597
{
1598
signode = n;
1599
sigdate = sig->timestamp;
1600
continue;
1601
}
1602
1603
/* At this point, if it's newer, it goes in as the only
1604
remaining possibilities are signode and n are both either
1605
revocable or expired or both nonrevocable and unexpired.
1606
If the timestamps are equal take the later ordered
1607
packet, presuming that the key packets are hopefully in
1608
their original order. */
1609
1610
if (sig->timestamp >= sigdate)
1611
{
1612
signode = n;
1613
sigdate = sig->timestamp;
1614
}
1615
}
1616
1617
sig = signode->pkt->pkt.signature;
1618
if (IS_UID_SIG (sig))
1619
{ /* this seems to be a usable one which is not revoked.
1620
* Just need to check whether there is an expiration time,
1621
* We do the expired certification after finding a suitable
1622
* certification, the assumption is that a signator does not
1623
* want that after the expiration of his certificate the
1624
* system falls back to an older certification which has a
1625
* different expiration time */
1626
const byte *p;
1627
u32 expire;
1628
1629
p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_SIG_EXPIRE, NULL );
1630
expire = p? sig->timestamp + buffer_to_u32(p) : 0;
1631
1632
if (expire==0 || expire > curtime )
1633
{
1634
signode->flag |= (1<<8); /* yeah, found a good cert */
1635
if (next_expire && expire && expire < *next_expire)
1636
*next_expire = expire;
1637
}
1638
}
1639
else
1640
signode->flag |= (1<<11);
1641
}
1642
}
1643
1644
static int
1645
clean_sigs_from_uid(KBNODE keyblock,KBNODE uidnode,int noisy,int self_only)
1646
{
1647
int deleted=0;
1648
KBNODE node;
1649
u32 keyid[2];
1650
1651
assert(keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
1652
1653
keyid_from_pk(keyblock->pkt->pkt.public_key,keyid);
1654
1655
/* Passing in a 0 for current time here means that we'll never weed
1656
out an expired sig. This is correct behavior since we want to
1657
keep the most recent expired sig in a series. */
1658
mark_usable_uid_certs(keyblock,uidnode,NULL,NULL,0,NULL);
1659
1660
/* What we want to do here is remove signatures that are not
1661
considered as part of the trust calculations. Thus, all invalid
1662
signatures are out, as are any signatures that aren't the last of
1663
a series of uid sigs or revocations It breaks down like this:
1664
coming out of mark_usable_uid_certs, if a sig is unflagged, it is
1665
not even a candidate. If a sig has flag 9 or 10, that means it
1666
was selected as a candidate and vetted. If a sig has flag 8 it
1667
is a usable signature. If a sig has flag 11 it is a usable
1668
revocation. If a sig has flag 12 it was issued by an unavailable
1669
key. "Usable" here means the most recent valid
1670
signature/revocation in a series from a particular signer.
1671
1672
Delete everything that isn't a usable uid sig (which might be
1673
expired), a usable revocation, or a sig from an unavailable
1674
key. */
1675
1676
for(node=uidnode->next;
1677
node && node->pkt->pkttype==PKT_SIGNATURE;
1678
node=node->next)
1679
{
1680
int keep=self_only?(node->pkt->pkt.signature->keyid[0]==keyid[0]
1681
&& node->pkt->pkt.signature->keyid[1]==keyid[1]):1;
1682
1683
/* Keep usable uid sigs ... */
1684
if((node->flag & (1<<8)) && keep)
1685
continue;
1686
1687
/* ... and usable revocations... */
1688
if((node->flag & (1<<11)) && keep)
1689
continue;
1690
1691
/* ... and sigs from unavailable keys. */
1692
/* disabled for now since more people seem to want sigs from
1693
unavailable keys removed altogether. */
1694
/*
1695
if(node->flag & (1<<12))
1696
continue;
1697
*/
1698
1699
/* Everything else we delete */
1700
1701
/* At this point, if 12 is set, the signing key was unavailable.
1702
If 9 or 10 is set, it's superseded. Otherwise, it's
1703
invalid. */
1704
1705
if(noisy)
1706
log_info("removing signature from key %s on user ID \"%s\": %s\n",
1707
keystr(node->pkt->pkt.signature->keyid),
1708
uidnode->pkt->pkt.user_id->name,
1709
node->flag&(1<<12)?"key unavailable":
1710
node->flag&(1<<9)?"signature superseded":"invalid signature");
1711
1712
delete_kbnode(node);
1713
deleted++;
1714
}
1715
1716
return deleted;
1717
}
1718
1719
/* This is substantially easier than clean_sigs_from_uid since we just
1720
have to establish if the uid has a valid self-sig, is not revoked,
1721
and is not expired. Note that this does not take into account
1722
whether the uid has a trust path to it - just whether the keyholder
1723
themselves has certified the uid. Returns true if the uid was
1724
compacted. To "compact" a user ID, we simply remove ALL signatures
1725
except the self-sig that caused the user ID to be remove-worthy.
1726
We don't actually remove the user ID packet itself since it might
1727
be ressurected in a later merge. Note that this function requires
1728
that the caller has already done a merge_keys_and_selfsig().
1729
1730
TODO: change the import code to allow importing a uid with only a
1731
revocation if the uid already exists on the keyring. */
1732
1733
static int
1734
clean_uid_from_key(KBNODE keyblock,KBNODE uidnode,int noisy)
1735
{
1736
KBNODE node;
1737
PKT_user_id *uid=uidnode->pkt->pkt.user_id;
1738
int deleted=0;
1739
1740
assert(keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
1741
assert(uidnode->pkt->pkttype==PKT_USER_ID);
1742
1743
/* Skip valid user IDs, compacted user IDs, and non-self-signed user
1744
IDs if --allow-non-selfsigned-uid is set. */
1745
if(uid->created || uid->flags.compacted
1746
|| (!uid->is_expired && !uid->is_revoked
1747
&& opt.allow_non_selfsigned_uid))
1748
return 0;
1749
1750
for(node=uidnode->next;
1751
node && node->pkt->pkttype==PKT_SIGNATURE;
1752
node=node->next)
1753
if(!node->pkt->pkt.signature->flags.chosen_selfsig)
1754
{
1755
delete_kbnode(node);
1756
deleted=1;
1757
uidnode->pkt->pkt.user_id->flags.compacted=1;
1758
}
1759
1760
if(noisy)
1761
{
1762
const char *reason;
1763
char *user=utf8_to_native(uid->name,uid->len,0);
1764
1765
if(uid->is_revoked)
1766
reason=_("revoked");
1767
else if(uid->is_expired)
1768
reason=_("expired");
1769
else
1770
reason=_("invalid");
1771
1772
log_info("compacting user ID \"%s\" on key %s: %s\n",
1773
user,keystr_from_pk(keyblock->pkt->pkt.public_key),
1774
reason);
1775
1776
xfree(user);
1777
}
1778
1779
return deleted;
1780
}
1781
1782
/* Needs to be called after a merge_keys_and_selfsig() */
1783
void
1784
clean_one_uid(KBNODE keyblock,KBNODE uidnode,int noisy,int self_only,
1785
int *uids_cleaned,int *sigs_cleaned)
1786
{
1787
int dummy;
1788
1789
assert(keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
1790
assert(uidnode->pkt->pkttype==PKT_USER_ID);
1791
1792
if(!uids_cleaned)
1793
uids_cleaned=&dummy;
1794
1795
if(!sigs_cleaned)
1796
sigs_cleaned=&dummy;
1797
1798
/* Do clean_uid_from_key first since if it fires off, we don't
1799
have to bother with the other */
1800
*uids_cleaned+=clean_uid_from_key(keyblock,uidnode,noisy);
1801
if(!uidnode->pkt->pkt.user_id->flags.compacted)
1802
*sigs_cleaned+=clean_sigs_from_uid(keyblock,uidnode,noisy,self_only);
1803
}
1804
1805
void
1806
clean_key(KBNODE keyblock,int noisy,int self_only,
1807
int *uids_cleaned,int *sigs_cleaned)
1808
{
1809
KBNODE uidnode;
1810
1811
merge_keys_and_selfsig(keyblock);
1812
1813
for(uidnode=keyblock->next;
1814
uidnode && uidnode->pkt->pkttype!=PKT_PUBLIC_SUBKEY;
1815
uidnode=uidnode->next)
1816
if(uidnode->pkt->pkttype==PKT_USER_ID)
1817
clean_one_uid(keyblock,uidnode,noisy,self_only,
1818
uids_cleaned,sigs_cleaned);
1819
}
1820
1821
/* Returns a sanitized copy of the regexp (which might be "", but not
1822
NULL). */
1823
#ifndef DISABLE_REGEX
1824
static char *
1825
sanitize_regexp(const char *old)
1826
{
1827
size_t start=0,len=strlen(old),idx=0;
1828
int escaped=0,standard_bracket=0;
1829
char *new=xmalloc((len*2)+1); /* enough to \-escape everything if we
1830
have to */
1831
1832
/* There are basically two commonly-used regexps here. GPG and most
1833
versions of PGP use "<[^>]+[@.]example\.com>$" and PGP (9)
1834
command line uses "example.com" (i.e. whatever the user specfies,
1835
and we can't expect users know to use "\." instead of "."). So
1836
here are the rules: we're allowed to start with "<[^>]+[@.]" and
1837
end with ">$" or start and end with nothing. In between, the
1838
only legal regex character is ".", and everything else gets
1839
escaped. Part of the gotcha here is that some regex packages
1840
allow more than RFC-4880 requires. For example, 4880 has no "{}"
1841
operator, but GNU regex does. Commenting removes these operators
1842
from consideration. A possible future enhancement is to use
1843
commenting to effectively back off a given regex to the Henry
1844
Spencer syntax in 4880. -dshaw */
1845
1846
/* Are we bracketed between "<[^>]+[@.]" and ">$" ? */
1847
if(len>=12 && strncmp(old,"<[^>]+[@.]",10)==0
1848
&& old[len-2]=='>' && old[len-1]=='$')
1849
{
1850
strcpy(new,"<[^>]+[@.]");
1851
idx=strlen(new);
1852
standard_bracket=1;
1853
start+=10;
1854
len-=2;
1855
}
1856
1857
/* Walk the remaining characters and ensure that everything that is
1858
left is not an operational regex character. */
1859
for(;start<len;start++)
1860
{
1861
if(!escaped && old[start]=='\\')
1862
escaped=1;
1863
else if(!escaped && old[start]!='.')
1864
new[idx++]='\\';
1865
else
1866
escaped=0;
1867
1868
new[idx++]=old[start];
1869
}
1870
1871
new[idx]='\0';
1872
1873
/* Note that the (sub)string we look at might end with a bare "\".
1874
If it does, leave it that way. If the regexp actually ended with
1875
">$", then it was escaping the ">" and is fine. If the regexp
1876
actually ended with the bare "\", then it's an illegal regexp and
1877
regcomp should kick it out. */
1878
1879
if(standard_bracket)
1880
strcat(new,">$");
1881
1882
return new;
1883
}
1884
#endif /*!DISABLE_REGEX*/
1885
1886
/* Used by validate_one_keyblock to confirm a regexp within a trust
1887
signature. Returns 1 for match, and 0 for no match or regex
1888
error. */
1889
static int
1890
check_regexp(const char *expr,const char *string)
1891
{
1892
#ifdef DISABLE_REGEX
1893
/* When DISABLE_REGEX is defined, assume all regexps do not
1894
match. */
1895
return 0;
1896
#else
1897
int ret;
1898
char *regexp;
1899
1900
regexp=sanitize_regexp(expr);
1901
1902
#ifdef __riscos__
1903
ret=riscos_check_regexp(expr, string, DBG_TRUST);
1904
#else
1905
{
1906
regex_t pat;
1907
1908
ret=regcomp(&pat,regexp,REG_ICASE|REG_NOSUB|REG_EXTENDED);
1909
if(ret==0)
1910
{
1911
ret=regexec(&pat,string,0,NULL,0);
1912
regfree(&pat);
1913
ret=(ret==0);
1914
}
1915
}
1916
#endif
1917
1918
if(DBG_TRUST)
1919
log_debug("regexp `%s' (`%s') on `%s': %s\n",
1920
regexp,expr,string,ret==0?"YES":"NO");
1921
1922
xfree(regexp);
1923
1924
return ret;
1925
#endif
1926
}
1927
1928
/*
1929
* Return true if the key is signed by one of the keys in the given
1930
* key ID list. User IDs with a valid signature are marked by node
1931
* flags as follows:
1932
* flag bit 0: There is at least one signature
1933
* 1: There is marginal confidence that this is a legitimate uid
1934
* 2: There is full confidence that this is a legitimate uid.
1935
* 8: Used for internal purposes.
1936
* 9: Ditto (in mark_usable_uid_certs())
1937
* 10: Ditto (ditto)
1938
* This function assumes that all kbnode flags are cleared on entry.
1939
*/
1940
static int
1941
validate_one_keyblock (KBNODE kb, struct key_item *klist,
1942
u32 curtime, u32 *next_expire)
1943
{
1944
struct key_item *kr;
1945
KBNODE node, uidnode=NULL;
1946
PKT_user_id *uid=NULL;
1947
PKT_public_key *pk = kb->pkt->pkt.public_key;
1948
u32 main_kid[2];
1949
int issigned=0, any_signed = 0;
1950
1951
keyid_from_pk(pk, main_kid);
1952
for (node=kb; node; node = node->next)
1953
{
1954
/* A bit of discussion here: is it better for the web of trust
1955
to be built among only self-signed uids? On the one hand, a
1956
self-signed uid is a statement that the key owner definitely
1957
intended that uid to be there, but on the other hand, a
1958
signed (but not self-signed) uid does carry trust, of a sort,
1959
even if it is a statement being made by people other than the
1960
key owner "through" the uids on the key owner's key. I'm
1961
going with the latter. However, if the user ID was
1962
explicitly revoked, or passively allowed to expire, that
1963
should stop validity through the user ID until it is
1964
resigned. -dshaw */
1965
1966
if (node->pkt->pkttype == PKT_USER_ID
1967
&& !node->pkt->pkt.user_id->is_revoked
1968
&& !node->pkt->pkt.user_id->is_expired)
1969
{
1970
if (uidnode && issigned)
1971
{
1972
if (uid->help_full_count >= opt.completes_needed
1973
|| uid->help_marginal_count >= opt.marginals_needed )
1974
uidnode->flag |= 4;
1975
else if (uid->help_full_count || uid->help_marginal_count)
1976
uidnode->flag |= 2;
1977
uidnode->flag |= 1;
1978
any_signed = 1;
1979
}
1980
uidnode = node;
1981
uid=uidnode->pkt->pkt.user_id;
1982
1983
/* If the selfsig is going to expire... */
1984
if(uid->expiredate && uid->expiredate<*next_expire)
1985
*next_expire = uid->expiredate;
1986
1987
issigned = 0;
1988
get_validity_counts(pk,uid);
1989
mark_usable_uid_certs (kb, uidnode, main_kid, klist,
1990
curtime, next_expire);
1991
}
1992
else if (node->pkt->pkttype == PKT_SIGNATURE
1993
&& (node->flag & (1<<8)) && uid)
1994
{
1995
/* Note that we are only seeing unrevoked sigs here */
1996
PKT_signature *sig = node->pkt->pkt.signature;
1997
1998
kr = is_in_klist (klist, sig);
1999
/* If the trust_regexp does not match, it's as if the sig
2000
did not exist. This is safe for non-trust sigs as well
2001
since we don't accept a regexp on the sig unless it's a
2002
trust sig. */
2003
if (kr && (!kr->trust_regexp
2004
|| opt.trust_model != TM_PGP
2005
|| (uidnode
2006
&& check_regexp(kr->trust_regexp,
2007
uidnode->pkt->pkt.user_id->name))))
2008
{
2009
/* Are we part of a trust sig chain? We always favor
2010
the latest trust sig, rather than the greater or
2011
lesser trust sig or value. I could make a decent
2012
argument for any of these cases, but this seems to be
2013
what PGP does, and I'd like to be compatible. -dms */
2014
if (opt.trust_model == TM_PGP
2015
&& sig->trust_depth
2016
&& pk->trust_timestamp <= sig->timestamp)
2017
{
2018
unsigned char depth;
2019
2020
/* If the depth on the signature is less than the
2021
chain currently has, then use the signature depth
2022
so we don't increase the depth beyond what the
2023
signer wanted. If the depth on the signature is
2024
more than the chain currently has, then use the
2025
chain depth so we use as much of the signature
2026
depth as the chain will permit. An ultimately
2027
trusted signature can restart the depth to
2028
whatever level it likes. */
2029
2030
if (sig->trust_depth < kr->trust_depth
2031
|| kr->ownertrust == TRUST_ULTIMATE)
2032
depth = sig->trust_depth;
2033
else
2034
depth = kr->trust_depth;
2035
2036
if (depth)
2037
{
2038
if(DBG_TRUST)
2039
log_debug ("trust sig on %s, sig depth is %d,"
2040
" kr depth is %d\n",
2041
uidnode->pkt->pkt.user_id->name,
2042
sig->trust_depth,
2043
kr->trust_depth);
2044
2045
/* If we got here, we know that:
2046
2047
this is a trust sig.
2048
2049
it's a newer trust sig than any previous trust
2050
sig on this key (not uid).
2051
2052
it is legal in that it was either generated by an
2053
ultimate key, or a key that was part of a trust
2054
chain, and the depth does not violate the
2055
original trust sig.
2056
2057
if there is a regexp attached, it matched
2058
successfully.
2059
*/
2060
2061
if (DBG_TRUST)
2062
log_debug ("replacing trust value %d with %d and "
2063
"depth %d with %d\n",
2064
pk->trust_value,sig->trust_value,
2065
pk->trust_depth,depth);
2066
2067
pk->trust_value = sig->trust_value;
2068
pk->trust_depth = depth-1;
2069
2070
/* If the trust sig contains a regexp, record it
2071
on the pk for the next round. */
2072
if (sig->trust_regexp)
2073
pk->trust_regexp = sig->trust_regexp;
2074
}
2075
}
2076
2077
if (kr->ownertrust == TRUST_ULTIMATE)
2078
uid->help_full_count = opt.completes_needed;
2079
else if (kr->ownertrust == TRUST_FULLY)
2080
uid->help_full_count++;
2081
else if (kr->ownertrust == TRUST_MARGINAL)
2082
uid->help_marginal_count++;
2083
issigned = 1;
2084
}
2085
}
2086
}
2087
2088
if (uidnode && issigned)
2089
{
2090
if (uid->help_full_count >= opt.completes_needed
2091
|| uid->help_marginal_count >= opt.marginals_needed )
2092
uidnode->flag |= 4;
2093
else if (uid->help_full_count || uid->help_marginal_count)
2094
uidnode->flag |= 2;
2095
uidnode->flag |= 1;
2096
any_signed = 1;
2097
}
2098
2099
return any_signed;
2100
}
2101
2102
2103
static int
2104
search_skipfnc (void *opaque, u32 *kid, PKT_user_id *dummy)
2105
{
2106
(void)dummy;
2107
return test_key_hash_table ((KeyHashTable)opaque, kid);
2108
}
2109
2110
2111
/*
2112
* Scan all keys and return a key_array of all suitable keys from
2113
* kllist. The caller has to pass keydb handle so that we don't use
2114
* to create our own. Returns either a key_array or NULL in case of
2115
* an error. No results found are indicated by an empty array.
2116
* Caller hast to release the returned array.
2117
*/
2118
static struct key_array *
2119
validate_key_list (KEYDB_HANDLE hd, KeyHashTable full_trust,
2120
struct key_item *klist, u32 curtime, u32 *next_expire)
2121
{
2122
KBNODE keyblock = NULL;
2123
struct key_array *keys = NULL;
2124
size_t nkeys, maxkeys;
2125
int rc;
2126
KEYDB_SEARCH_DESC desc;
2127
2128
maxkeys = 1000;
2129
keys = xmalloc ((maxkeys+1) * sizeof *keys);
2130
nkeys = 0;
2131
2132
rc = keydb_search_reset (hd);
2133
if (rc)
2134
{
2135
log_error ("keydb_search_reset failed: %s\n", g10_errstr(rc));
2136
xfree (keys);
2137
return NULL;
2138
}
2139
2140
memset (&desc, 0, sizeof desc);
2141
desc.mode = KEYDB_SEARCH_MODE_FIRST;
2142
desc.skipfnc = search_skipfnc;
2143
desc.skipfncvalue = full_trust;
2144
rc = keydb_search (hd, &desc, 1);
2145
if (rc == -1)
2146
{
2147
keys[nkeys].keyblock = NULL;
2148
return keys;
2149
}
2150
if (rc)
2151
{
2152
log_error ("keydb_search_first failed: %s\n", g10_errstr(rc));
2153
xfree (keys);
2154
return NULL;
2155
}
2156
2157
desc.mode = KEYDB_SEARCH_MODE_NEXT; /* change mode */
2158
do
2159
{
2160
PKT_public_key *pk;
2161
2162
rc = keydb_get_keyblock (hd, &keyblock);
2163
if (rc)
2164
{
2165
log_error ("keydb_get_keyblock failed: %s\n", g10_errstr(rc));
2166
xfree (keys);
2167
return NULL;
2168
}
2169
2170
if ( keyblock->pkt->pkttype != PKT_PUBLIC_KEY)
2171
{
2172
log_debug ("ooops: invalid pkttype %d encountered\n",
2173
keyblock->pkt->pkttype);
2174
dump_kbnode (keyblock);
2175
release_kbnode(keyblock);
2176
continue;
2177
}
2178
2179
/* prepare the keyblock for further processing */
2180
merge_keys_and_selfsig (keyblock);
2181
clear_kbnode_flags (keyblock);
2182
pk = keyblock->pkt->pkt.public_key;
2183
if (pk->has_expired || pk->is_revoked)
2184
{
2185
/* it does not make sense to look further at those keys */
2186
mark_keyblock_seen (full_trust, keyblock);
2187
}
2188
else if (validate_one_keyblock (keyblock, klist, curtime, next_expire))
2189
{
2190
KBNODE node;
2191
2192
if (pk->expiredate && pk->expiredate >= curtime
2193
&& pk->expiredate < *next_expire)
2194
*next_expire = pk->expiredate;
2195
2196
if (nkeys == maxkeys) {
2197
maxkeys += 1000;
2198
keys = xrealloc (keys, (maxkeys+1) * sizeof *keys);
2199
}
2200
keys[nkeys++].keyblock = keyblock;
2201
2202
/* Optimization - if all uids are fully trusted, then we
2203
never need to consider this key as a candidate again. */
2204
2205
for (node=keyblock; node; node = node->next)
2206
if (node->pkt->pkttype == PKT_USER_ID && !(node->flag & 4))
2207
break;
2208
2209
if(node==NULL)
2210
mark_keyblock_seen (full_trust, keyblock);
2211
2212
keyblock = NULL;
2213
}
2214
2215
release_kbnode (keyblock);
2216
keyblock = NULL;
2217
}
2218
while ( !(rc = keydb_search (hd, &desc, 1)) );
2219
if (rc && rc != -1)
2220
{
2221
log_error ("keydb_search_next failed: %s\n", g10_errstr(rc));
2222
xfree (keys);
2223
return NULL;
2224
}
2225
2226
keys[nkeys].keyblock = NULL;
2227
return keys;
2228
}
2229
2230
/* Caller must sync */
2231
static void
2232
reset_trust_records(void)
2233
{
2234
TRUSTREC rec;
2235
ulong recnum;
2236
int count = 0, nreset = 0;
2237
2238
for (recnum=1; !tdbio_read_record (recnum, &rec, 0); recnum++ )
2239
{
2240
if(rec.rectype==RECTYPE_TRUST)
2241
{
2242
count++;
2243
if(rec.r.trust.min_ownertrust)
2244
{
2245
rec.r.trust.min_ownertrust=0;
2246
write_record(&rec);
2247
}
2248
2249
}
2250
else if(rec.rectype==RECTYPE_VALID
2251
&& ((rec.r.valid.validity&TRUST_MASK)
2252
|| rec.r.valid.marginal_count
2253
|| rec.r.valid.full_count))
2254
{
2255
rec.r.valid.validity &= ~TRUST_MASK;
2256
rec.r.valid.marginal_count=rec.r.valid.full_count=0;
2257
nreset++;
2258
write_record(&rec);
2259
}
2260
2261
}
2262
2263
if (opt.verbose)
2264
log_info (_("%d keys processed (%d validity counts cleared)\n"),
2265
count, nreset);
2266
}
2267
2268
/*
2269
* Run the key validation procedure.
2270
*
2271
* This works this way:
2272
* Step 1: Find all ultimately trusted keys (UTK).
2273
* mark them all as seen and put them into klist.
2274
* Step 2: loop max_cert_times
2275
* Step 3: if OWNERTRUST of any key in klist is undefined
2276
* ask user to assign ownertrust
2277
* Step 4: Loop over all keys in the keyDB which are not marked seen
2278
* Step 5: if key is revoked or expired
2279
* mark key as seen
2280
* continue loop at Step 4
2281
* Step 6: For each user ID of that key signed by a key in klist
2282
* Calculate validity by counting trusted signatures.
2283
* Set validity of user ID
2284
* Step 7: If any signed user ID was found
2285
* mark key as seen
2286
* End Loop
2287
* Step 8: Build a new klist from all fully trusted keys from step 6
2288
* End Loop
2289
* Ready
2290
*
2291
*/
2292
static int
2293
validate_keys (int interactive)
2294
{
2295
int rc = 0;
2296
int quit=0;
2297
struct key_item *klist = NULL;
2298
struct key_item *k;
2299
struct key_array *keys = NULL;
2300
struct key_array *kar;
2301
KEYDB_HANDLE kdb = NULL;
2302
KBNODE node;
2303
int depth;
2304
int ot_unknown, ot_undefined, ot_never, ot_marginal, ot_full, ot_ultimate;
2305
KeyHashTable stored,used,full_trust;
2306
u32 start_time, next_expire;
2307
2308
/* Make sure we have all sigs cached. TODO: This is going to
2309
require some architectual re-thinking, as it is agonizingly slow.
2310
Perhaps combine this with reset_trust_records(), or only check
2311
the caches on keys that are actually involved in the web of
2312
trust. */
2313
keydb_rebuild_caches(0);
2314
2315
start_time = make_timestamp ();
2316
next_expire = 0xffffffff; /* set next expire to the year 2106 */
2317
stored = new_key_hash_table ();
2318
used = new_key_hash_table ();
2319
full_trust = new_key_hash_table ();
2320
2321
kdb = keydb_new (0);
2322
reset_trust_records();
2323
2324
/* Fixme: Instead of always building a UTK list, we could just build it
2325
* here when needed */
2326
if (!utk_list)
2327
{
2328
if (!opt.quiet)
2329
log_info (_("no ultimately trusted keys found\n"));
2330
goto leave;
2331
}
2332
2333
/* mark all UTKs as used and fully_trusted and set validity to
2334
ultimate */
2335
for (k=utk_list; k; k = k->next)
2336
{
2337
KBNODE keyblock;
2338
PKT_public_key *pk;
2339
2340
keyblock = get_pubkeyblock (k->kid);
2341
if (!keyblock)
2342
{
2343
log_error (_("public key of ultimately"
2344
" trusted key %s not found\n"), keystr(k->kid));
2345
continue;
2346
}
2347
mark_keyblock_seen (used, keyblock);
2348
mark_keyblock_seen (stored, keyblock);
2349
mark_keyblock_seen (full_trust, keyblock);
2350
pk = keyblock->pkt->pkt.public_key;
2351
for (node=keyblock; node; node = node->next)
2352
{
2353
if (node->pkt->pkttype == PKT_USER_ID)
2354
update_validity (pk, node->pkt->pkt.user_id, 0, TRUST_ULTIMATE);
2355
}
2356
if ( pk->expiredate && pk->expiredate >= start_time
2357
&& pk->expiredate < next_expire)
2358
next_expire = pk->expiredate;
2359
2360
release_kbnode (keyblock);
2361
do_sync ();
2362
}
2363
2364
klist = utk_list;
2365
2366
log_info(_("%d marginal(s) needed, %d complete(s) needed, %s trust model\n"),
2367
opt.marginals_needed,opt.completes_needed,trust_model_string());
2368
2369
for (depth=0; depth < opt.max_cert_depth; depth++)
2370
{
2371
int valids=0,key_count;
2372
/* See whether we should assign ownertrust values to the keys in
2373
klist. */
2374
ot_unknown = ot_undefined = ot_never = 0;
2375
ot_marginal = ot_full = ot_ultimate = 0;
2376
for (k=klist; k; k = k->next)
2377
{
2378
int min=0;
2379
2380
/* 120 and 60 are as per RFC2440 */
2381
if(k->trust_value>=120)
2382
min=TRUST_FULLY;
2383
else if(k->trust_value>=60)
2384
min=TRUST_MARGINAL;
2385
2386
if(min!=k->min_ownertrust)
2387
update_min_ownertrust(k->kid,min);
2388
2389
if (interactive && k->ownertrust == TRUST_UNKNOWN)
2390
{
2391
k->ownertrust = ask_ownertrust (k->kid,min);
2392
2393
if (k->ownertrust == -1)
2394
{
2395
quit=1;
2396
goto leave;
2397
}
2398
}
2399
2400
/* This can happen during transition from an old trustdb
2401
before trust sigs. It can also happen if a user uses two
2402
different versions of GnuPG or changes the --trust-model
2403
setting. */
2404
if(k->ownertrust<min)
2405
{
2406
if(DBG_TRUST)
2407
log_debug("key %08lX%08lX:"
2408
" overriding ownertrust `%s' with `%s'\n",
2409
(ulong)k->kid[0],(ulong)k->kid[1],
2410
trust_value_to_string(k->ownertrust),
2411
trust_value_to_string(min));
2412
2413
k->ownertrust=min;
2414
}
2415
2416
if (k->ownertrust == TRUST_UNKNOWN)
2417
ot_unknown++;
2418
else if (k->ownertrust == TRUST_UNDEFINED)
2419
ot_undefined++;
2420
else if (k->ownertrust == TRUST_NEVER)
2421
ot_never++;
2422
else if (k->ownertrust == TRUST_MARGINAL)
2423
ot_marginal++;
2424
else if (k->ownertrust == TRUST_FULLY)
2425
ot_full++;
2426
else if (k->ownertrust == TRUST_ULTIMATE)
2427
ot_ultimate++;
2428
2429
valids++;
2430
}
2431
2432
/* Find all keys which are signed by a key in kdlist */
2433
keys = validate_key_list (kdb, full_trust, klist,
2434
start_time, &next_expire);
2435
if (!keys)
2436
{
2437
log_error ("validate_key_list failed\n");
2438
rc = G10ERR_GENERAL;
2439
goto leave;
2440
}
2441
2442
for (key_count=0, kar=keys; kar->keyblock; kar++, key_count++)
2443
;
2444
2445
/* Store the calculated valididation status somewhere */
2446
if (opt.verbose > 1)
2447
dump_key_array (depth, keys);
2448
2449
for (kar=keys; kar->keyblock; kar++)
2450
store_validation_status (depth, kar->keyblock, stored);
2451
2452
log_info (_("depth: %d valid: %3d signed: %3d"
2453
" trust: %d-, %dq, %dn, %dm, %df, %du\n"),
2454
depth, valids, key_count, ot_unknown, ot_undefined,
2455
ot_never, ot_marginal, ot_full, ot_ultimate );
2456
2457
/* Build a new kdlist from all fully valid keys in KEYS */
2458
if (klist != utk_list)
2459
release_key_items (klist);
2460
klist = NULL;
2461
for (kar=keys; kar->keyblock; kar++)
2462
{
2463
for (node=kar->keyblock; node; node = node->next)
2464
{
2465
if (node->pkt->pkttype == PKT_USER_ID && (node->flag & 4))
2466
{
2467
u32 kid[2];
2468
2469
/* have we used this key already? */
2470
keyid_from_pk (kar->keyblock->pkt->pkt.public_key, kid);
2471
if(test_key_hash_table(used,kid)==0)
2472
{
2473
/* Normally we add both the primary and subkey
2474
ids to the hash via mark_keyblock_seen, but
2475
since we aren't using this hash as a skipfnc,
2476
that doesn't matter here. */
2477
add_key_hash_table (used,kid);
2478
k = new_key_item ();
2479
k->kid[0]=kid[0];
2480
k->kid[1]=kid[1];
2481
k->ownertrust =
2482
(get_ownertrust (kar->keyblock->pkt->pkt.public_key)
2483
& TRUST_MASK);
2484
k->min_ownertrust =
2485
get_min_ownertrust(kar->keyblock->pkt->pkt.public_key);
2486
k->trust_depth=
2487
kar->keyblock->pkt->pkt.public_key->trust_depth;
2488
k->trust_value=
2489
kar->keyblock->pkt->pkt.public_key->trust_value;
2490
if(kar->keyblock->pkt->pkt.public_key->trust_regexp)
2491
k->trust_regexp=
2492
xstrdup(kar->keyblock->pkt->
2493
pkt.public_key->trust_regexp);
2494
k->next = klist;
2495
klist = k;
2496
break;
2497
}
2498
}
2499
}
2500
}
2501
release_key_array (keys);
2502
keys = NULL;
2503
if (!klist)
2504
break; /* no need to dive in deeper */
2505
}
2506
2507
leave:
2508
keydb_release (kdb);
2509
release_key_array (keys);
2510
release_key_items (klist);
2511
release_key_hash_table (full_trust);
2512
release_key_hash_table (used);
2513
release_key_hash_table (stored);
2514
if (!rc && !quit) /* mark trustDB as checked */
2515
{
2516
if (next_expire == 0xffffffff || next_expire < start_time )
2517
tdbio_write_nextcheck (0);
2518
else
2519
{
2520
tdbio_write_nextcheck (next_expire);
2521
log_info (_("next trustdb check due at %s\n"),
2522
strtimestamp (next_expire));
2523
}
2524
2525
if(tdbio_update_version_record()!=0)
2526
{
2527
log_error(_("unable to update trustdb version record: "
2528
"write failed: %s\n"), g10_errstr(rc));
2529
tdbio_invalid();
2530
}
2531
2532
do_sync ();
2533
pending_check_trustdb = 0;
2534
}
2535
2536
return rc;
2537
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.1