1 /* trustlist.c - Maintain the list of trusted keys
2 * Copyright (C) 2002, 2004, 2006, 2007, 2009,
3 * 2012 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
33 #include <assuan.h> /* fixme: need a way to avoid assuan calls here */
37 /* A structure to store the information from the trust file. */
42 int disabled:1; /* This entry is disabled. */
43 int for_pgp:1; /* Set by '*' or 'P' as first flag. */
44 int for_smime:1; /* Set by '*' or 'S' as first flag. */
45 int relax:1; /* Relax checking of root certificate
47 int cm:1; /* Use chain model for validation. */
49 unsigned char fpr[20]; /* The binary fingerprint. */
51 typedef struct trustitem_s trustitem_t;
53 /* Malloced table and its allocated size with all trust items. */
54 static trustitem_t *trusttable;
55 static size_t trusttablesize;
56 /* A mutex used to protect the table. */
57 static npth_mutex_t trusttable_lock;
60 static const char headerblurb[] =
61 "# This is the list of trusted keys. Comment lines, like this one, as\n"
62 "# well as empty lines are ignored. Lines have a length limit but this\n"
63 "# is not a serious limitation as the format of the entries is fixed and\n"
64 "# checked by gpg-agent. A non-comment line starts with optional white\n"
65 "# space, followed by the SHA-1 fingerpint in hex, followed by a flag\n"
66 "# which may be one of 'P', 'S' or '*' and optionally followed by a list of\n"
67 "# other flags. The fingerprint may be prefixed with a '!' to mark the\n"
68 "# key as not trusted. You should give the gpg-agent a HUP or run the\n"
69 "# command \"gpgconf --reload gpg-agent\" after changing this file.\n"
71 "# Include the default trust list\n"
76 /* This function must be called once to initialize this module. This
77 has to be done before a second thread is spawned. We can't do the
78 static initialization because Pth emulation code might not be able
79 to do a static init; in particular, it is not possible for W32. */
81 initialize_module_trustlist (void)
83 static int initialized;
88 err = npth_mutex_init (&trusttable_lock, NULL);
90 log_fatal ("failed to init mutex in %s: %s\n", __FILE__,strerror (err));
99 lock_trusttable (void)
103 err = npth_mutex_lock (&trusttable_lock);
105 log_fatal ("failed to acquire mutex in %s: %s\n", __FILE__, strerror (err));
110 unlock_trusttable (void)
114 err = npth_mutex_unlock (&trusttable_lock);
116 log_fatal ("failed to release mutex in %s: %s\n", __FILE__, strerror (err));
120 /* Clear the trusttable. The caller needs to make sure that the
121 trusttable is locked. */
123 clear_trusttable (void)
132 read_one_trustfile (const char *fname, int allow_include,
133 trustitem_t **addr_of_table,
134 size_t *addr_of_tablesize,
135 int *addr_of_tableidx)
141 trustitem_t *table, *ti;
146 table = *addr_of_table;
147 tablesize = *addr_of_tablesize;
148 tableidx = *addr_of_tableidx;
150 fp = es_fopen (fname, "r");
153 err = gpg_error_from_syserror ();
154 log_error (_("error opening '%s': %s\n"), fname, gpg_strerror (err));
158 while (es_fgets (line, DIM(line)-1, fp))
163 if (!n || line[n-1] != '\n')
165 /* Eat until end of line. */
166 while ( (c=es_getc (fp)) != EOF && c != '\n')
168 err = gpg_error (*line? GPG_ERR_LINE_TOO_LONG
169 : GPG_ERR_INCOMPLETE_LINE);
170 log_error (_("file '%s', line %d: %s\n"),
171 fname, lnr, gpg_strerror (err));
174 line[--n] = 0; /* Chop the LF. */
175 if (n && line[n-1] == '\r')
176 line[--n] = 0; /* Chop an optional CR. */
178 /* Allow for empty lines and spaces */
179 for (p=line; spacep (p); p++)
181 if (!*p || *p == '#')
184 if (!strncmp (p, "include-default", 15)
185 && (!p[15] || spacep (p+15)))
192 log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
193 "include-default", fname, lnr);
196 /* fixme: Should check for trailing garbage. */
198 etcname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
199 if ( !strcmp (etcname, fname) ) /* Same file. */
200 log_info (_("statement \"%s\" ignored in '%s', line %d\n"),
201 "include-default", fname, lnr);
202 else if ( access (etcname, F_OK) && errno == ENOENT )
204 /* A non existent system trustlist is not an error.
205 Just print a note. */
206 log_info (_("system trustlist '%s' not available\n"), etcname);
210 err2 = read_one_trustfile (etcname, 0,
211 &table, &tablesize, &tableidx);
220 if (tableidx == tablesize) /* Need more space. */
225 tmplen = tablesize + 20;
226 tmp = xtryrealloc (table, tmplen * sizeof *table);
229 err = gpg_error_from_syserror ();
236 ti = table + tableidx;
238 memset (&ti->flags, 0, sizeof ti->flags);
241 ti->flags.disabled = 1;
247 n = hexcolon2bin (p, ti->fpr, 20);
250 log_error (_("bad fingerprint in '%s', line %d\n"), fname, lnr);
251 err = gpg_error (GPG_ERR_BAD_DATA);
255 for (; spacep (p); p++)
258 /* Process the first flag which needs to be the first for
259 backward compatibility. */
260 if (!*p || *p == '*' )
262 ti->flags.for_smime = 1;
263 ti->flags.for_pgp = 1;
265 else if ( *p == 'P' || *p == 'p')
267 ti->flags.for_pgp = 1;
269 else if ( *p == 'S' || *p == 's')
271 ti->flags.for_smime = 1;
275 log_error (_("invalid keyflag in '%s', line %d\n"), fname, lnr);
276 err = gpg_error (GPG_ERR_BAD_DATA);
280 if ( *p && !spacep (p) )
282 log_error (_("invalid keyflag in '%s', line %d\n"), fname, lnr);
283 err = gpg_error (GPG_ERR_BAD_DATA);
287 /* Now check for more key-value pairs of the form NAME[=VALUE]. */
290 for (; spacep (p); p++)
294 n = strcspn (p, "= \t");
297 log_error ("assigning a value to a flag is not yet supported; "
298 "in '%s', line %d\n", fname, lnr);
299 err = gpg_error (GPG_ERR_BAD_DATA);
302 else if (n == 5 && !memcmp (p, "relax", 5))
304 else if (n == 2 && !memcmp (p, "cm", 2))
307 log_error ("flag '%.*s' in '%s', line %d ignored\n",
313 if ( !err && !es_feof (fp) )
315 err = gpg_error_from_syserror ();
316 log_error (_("error reading '%s', line %d: %s\n"),
317 fname, lnr, gpg_strerror (err));
322 *addr_of_table = table;
323 *addr_of_tablesize = tablesize;
324 *addr_of_tableidx = tableidx;
329 /* Read the trust files and update the global table on success. The
330 trusttable is assumed to be locked. */
332 read_trustfiles (void)
335 trustitem_t *table, *ti;
339 int allow_include = 1;
342 table = xtrycalloc (tablesize, sizeof *table);
344 return gpg_error_from_syserror ();
347 fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL);
350 err = gpg_error_from_syserror ();
355 if ( access (fname, F_OK) )
357 if ( errno == ENOENT )
358 ; /* Silently ignore a non-existing trustfile. */
361 err = gpg_error_from_syserror ();
362 log_error (_("error opening '%s': %s\n"), fname, gpg_strerror (err));
365 fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
368 err = read_one_trustfile (fname, allow_include,
369 &table, &tablesize, &tableidx);
375 if (gpg_err_code (err) == GPG_ERR_ENOENT)
377 /* Take a missing trustlist as an empty one. */
384 /* Fixme: we should drop duplicates and sort the table. */
385 ti = xtryrealloc (table, (tableidx?tableidx:1) * sizeof *table);
388 err = gpg_error_from_syserror ();
393 /* Replace the trusttable. */
396 trusttablesize = tableidx;
401 /* Check whether the given fpr is in our trustdb. We expect FPR to be
402 an all uppercase hexstring of 40 characters. If ALREADY_LOCKED is
403 true the function assumes that the trusttable is already locked. */
405 istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
409 int locked = already_locked;
412 unsigned char fprbin[20];
417 if ( hexcolon2bin (fpr, fprbin, 20) < 0 )
419 err = gpg_error (GPG_ERR_INV_VALUE);
431 err = read_trustfiles ();
434 log_error (_("error reading list of trusted root certificates\n"));
441 for (ti=trusttable, len = trusttablesize; len; ti++, len--)
442 if (!memcmp (ti->fpr, fprbin, 20))
444 if (ti->flags.disabled && r_disabled)
447 /* Print status messages only if we have not been called
448 in a locked state. */
451 else if (ti->flags.relax)
453 unlock_trusttable ();
455 err = agent_write_status (ctrl, "TRUSTLISTFLAG", "relax", NULL);
457 else if (ti->flags.cm)
459 unlock_trusttable ();
461 err = agent_write_status (ctrl, "TRUSTLISTFLAG", "cm", NULL);
465 err = ti->flags.disabled? gpg_error (GPG_ERR_NOT_TRUSTED) : 0;
469 err = gpg_error (GPG_ERR_NOT_TRUSTED);
472 if (locked && !already_locked)
473 unlock_trusttable ();
478 /* Check whether the given fpr is in our trustdb. We expect FPR to be
479 an all uppercase hexstring of 40 characters. */
481 agent_istrusted (ctrl_t ctrl, const char *fpr, int *r_disabled)
483 return istrusted_internal (ctrl, fpr, r_disabled, 0);
487 /* Write all trust entries to FP. */
489 agent_listtrusted (void *assuan_context)
499 err = read_trustfiles ();
502 unlock_trusttable ();
503 log_error (_("error reading list of trusted root certificates\n"));
510 for (ti=trusttable, len = trusttablesize; len; ti++, len--)
512 if (ti->flags.disabled)
514 bin2hex (ti->fpr, 20, key);
516 key[41] = ((ti->flags.for_smime && ti->flags.for_pgp)? '*'
517 : ti->flags.for_smime? 'S': ti->flags.for_pgp? 'P':' ');
519 assuan_send_data (assuan_context, key, 43);
520 assuan_send_data (assuan_context, NULL, 0); /* flush */
524 unlock_trusttable ();
529 /* Create a copy of string with colons inserted after each two bytes.
530 Caller needs to release the string. In case of a memory failure,
533 insert_colons (const char *string)
536 size_t n = strlen (string);
537 size_t nnew = n + (n+1)/2;
539 p = buffer = xtrymalloc ( nnew + 1 );
553 assert (strlen (buffer) <= nnew);
559 /* To pretty print DNs in the Pinentry, we replace slashes by
560 REPLSTRING. The caller needs to free the returned string. NULL is
561 returned on error with ERRNO set. */
563 reformat_name (const char *name, const char *replstring)
569 size_t replstringlen = strlen (replstring);
571 /* If the name does not start with a slash it is not a preformatted
572 DN and thus we don't bother to reformat it. */
574 return xtrystrdup (name);
576 /* Count the names. Note that a slash contained in a DN part is
577 expected to be C style escaped and thus the slashes we see here
578 are the actual part delimiters. */
579 for (s=name+1, count=0; *s; s++)
582 newname = xtrymalloc (strlen (name) + count*replstringlen + 1);
585 for (s=name+1, d=newname; *s; s++)
587 d = stpcpy (d, replstring);
595 /* Insert the given fpr into our trustdb. We expect FPR to be an all
596 uppercase hexstring of 40 characters. FLAG is either 'P' or 'C'.
597 This function does first check whether that key has already been
598 put into the trustdb and returns success in this case. Before a
599 FPR actually gets inserted, the user is asked by means of the
600 Pinentry whether this is actual what he wants to do. */
602 agent_marktrusted (ctrl_t ctrl, const char *name, const char *fpr, int flag)
613 /* Check whether we are at all allowed to modify the trustlist.
614 This is useful so that the trustlist may be a symlink to a global
615 trustlist with only admin priviliges to modify it. Of course
616 this is not a secure way of denying access, but it avoids the
617 usual clicking on an Okay button most users are used to. */
618 fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL);
620 return gpg_error_from_syserror ();
622 if ( access (fname, W_OK) && errno != ENOENT)
625 return gpg_error (GPG_ERR_EPERM);
629 if (!agent_istrusted (ctrl, fpr, &is_disabled))
631 return 0; /* We already got this fingerprint. Silently return
635 /* This feature must explicitly been enabled. */
636 if (!opt.allow_mark_trusted)
637 return gpg_error (GPG_ERR_NOT_SUPPORTED);
641 /* There is an disabled entry in the trustlist. Return an error
642 so that the user won't be asked again for that one. Changing
643 this flag with the integrated marktrusted feature is and will
644 not be made possible. */
645 return gpg_error (GPG_ERR_NOT_TRUSTED);
649 /* Insert a new one. */
650 nameformatted = reformat_name (name, "%0A ");
652 return gpg_error_from_syserror ();
654 /* First a general question whether this is trusted. */
655 desc = xtryasprintf (
656 /* TRANSLATORS: This prompt is shown by the Pinentry
657 and has one special property: A "%%0A" is used by
658 Pinentry to insert a line break. The double
659 percent sign is actually needed because it is also
660 a printf format string. If you need to insert a
661 plain % sign, you need to encode it as "%%25". The
662 "%s" gets replaced by the name as stored in the
664 L_("Do you ultimately trust%%0A"
666 "to correctly certify user certificates?"),
670 xfree (nameformatted);
671 return out_of_core ();
673 err = agent_get_confirmation (ctrl, desc, L_("Yes"), L_("No"), 1);
677 else if (gpg_err_code (err) == GPG_ERR_NOT_CONFIRMED)
681 xfree (nameformatted);
686 fprformatted = insert_colons (fpr);
689 xfree (nameformatted);
690 return out_of_core ();
693 /* If the user trusts this certificate he has to verify the
694 fingerprint of course. */
699 /* TRANSLATORS: This prompt is shown by the Pinentry and has
700 one special property: A "%%0A" is used by Pinentry to
701 insert a line break. The double percent sign is actually
702 needed because it is also a printf format string. If you
703 need to insert a plain % sign, you need to encode it as
704 "%%25". The second "%s" gets replaced by a hexdecimal
705 fingerprint string whereas the first one receives the name
706 as stored in the certificate. */
707 L_("Please verify that the certificate identified as:%%0A"
709 "has the fingerprint:%%0A"
710 " %s"), nameformatted, fprformatted);
713 xfree (fprformatted);
714 xfree (nameformatted);
715 return out_of_core ();
718 /* TRANSLATORS: "Correct" is the label of a button and intended
719 to be hit if the fingerprint matches the one of the CA. The
720 other button is "the default "Cancel" of the Pinentry. */
721 err = agent_get_confirmation (ctrl, desc, L_("Correct"), L_("Wrong"), 1);
723 if (gpg_err_code (err) == GPG_ERR_NOT_CONFIRMED)
727 xfree (fprformatted);
728 xfree (nameformatted);
734 /* Now check again to avoid duplicates. We take the lock to make
735 sure that nobody else plays with our file and force a reread. */
738 if (!istrusted_internal (ctrl, fpr, &is_disabled, 1) || is_disabled)
740 unlock_trusttable ();
741 xfree (fprformatted);
742 xfree (nameformatted);
743 return is_disabled? gpg_error (GPG_ERR_NOT_TRUSTED) : 0;
746 fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL);
749 err = gpg_error_from_syserror ();
750 unlock_trusttable ();
751 xfree (fprformatted);
752 xfree (nameformatted);
755 if ( access (fname, F_OK) && errno == ENOENT)
757 fp = es_fopen (fname, "wx,mode=-rw-r");
760 err = gpg_error_from_syserror ();
761 log_error ("can't create '%s': %s\n", fname, gpg_strerror (err));
763 unlock_trusttable ();
764 xfree (fprformatted);
765 xfree (nameformatted);
768 es_fputs (headerblurb, fp);
771 fp = es_fopen (fname, "a+,mode=-rw-r");
774 err = gpg_error_from_syserror ();
775 log_error ("can't open '%s': %s\n", fname, gpg_strerror (err));
777 unlock_trusttable ();
778 xfree (fprformatted);
779 xfree (nameformatted);
783 /* Append the key. */
784 es_fputs ("\n# ", fp);
785 xfree (nameformatted);
786 nameformatted = reformat_name (name, "\n# ");
787 if (!nameformatted || strchr (name, '\n'))
789 /* Note that there should never be a LF in NAME but we better
790 play safe and print a sanitized version in this case. */
791 es_write_sanitized (fp, name, strlen (name), NULL, NULL);
794 es_fputs (nameformatted, fp);
795 es_fprintf (fp, "\n%s%s %c%s\n", yes_i_trust?"":"!", fprformatted, flag,
796 flag == 'S'? " relax":"");
798 err = gpg_error_from_syserror ();
801 err = gpg_error_from_syserror ();
805 unlock_trusttable ();
806 xfree (fprformatted);
807 xfree (nameformatted);
809 bump_key_eventcounter ();
814 /* This function may be called to force reloading of the
817 agent_reload_trustlist (void)
819 /* All we need to do is to delete the trusttable. At the next
820 access it will get re-read. */
823 unlock_trusttable ();
824 bump_key_eventcounter ();