1 /* tofu.c - TOFU trust model.
2 * Copyright (C) 2015, 2016 g10 Code GmbH
4 * This file is part of GnuPG.
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <https://www.gnu.org/licenses/>.
22 - Format the fingerprints nicely when printing (similar to gpg
36 #include "stringhelp.h"
38 #include "mbox-util.h"
50 #define CONTROL_L ('L' - 'A' + 1)
52 /* Number of days with signed / ecnrypted messages required to
53 * indicate that enough history is available for basic trust. */
54 #define BASIC_TRUST_THRESHOLD 4
55 /* Number of days with signed / encrypted messages required to
56 * indicate that a lot of history is available. */
57 #define FULL_TRUST_THRESHOLD 21
60 /* A struct with data pertaining to the tofu DB. There is one such
61 struct per session and it is cached in session's ctrl structure.
62 To initialize this or get the current singleton, call opendbs().
63 There is no need to explicitly release it; cleanup is done when the
64 CTRL object is released. */
69 time_t want_lock_file_ctime;
73 sqlite3_stmt *savepoint_batch;
74 sqlite3_stmt *savepoint_batch_commit;
76 sqlite3_stmt *record_binding_get_old_policy;
77 sqlite3_stmt *record_binding_update;
78 sqlite3_stmt *get_policy_select_policy_and_conflict;
79 sqlite3_stmt *get_trust_bindings_with_this_email;
80 sqlite3_stmt *get_trust_gather_other_user_ids;
81 sqlite3_stmt *get_trust_gather_signature_stats;
82 sqlite3_stmt *get_trust_gather_encryption_stats;
83 sqlite3_stmt *register_already_seen;
84 sqlite3_stmt *register_signature;
85 sqlite3_stmt *register_encryption;
88 int in_batch_transaction;
90 time_t batch_update_started;
94 #define STRINGIFY(s) STRINGIFY2(s)
95 #define STRINGIFY2(s) #s
97 /* The grouping parameters when collecting signature statistics. */
99 /* If a message is signed a couple of hours in the future, just assume
101 #define TIME_AGO_FUTURE_IGNORE (2 * 60 * 60)
103 #define TIME_AGO_UNIT_SMALL (24 * 60 * 60)
104 #define TIME_AGO_SMALL_THRESHOLD (7 * TIME_AGO_UNIT_SMALL)
106 #define TIME_AGO_UNIT_MEDIUM (30 * 24 * 60 * 60)
107 #define TIME_AGO_MEDIUM_THRESHOLD (2 * TIME_AGO_UNIT_MEDIUM)
109 #define TIME_AGO_UNIT_LARGE (365 * 24 * 60 * 60)
110 #define TIME_AGO_LARGE_THRESHOLD (2 * TIME_AGO_UNIT_LARGE)
112 /* Local prototypes. */
113 static gpg_error_t end_transaction (ctrl_t ctrl, int only_batch);
114 static char *email_from_user_id (const char *user_id);
115 static int show_statistics (tofu_dbs_t dbs,
116 const char *fingerprint, const char *email,
117 enum tofu_policy policy,
118 estream_t outfp, int only_status_fd, time_t now);
121 tofu_policy_str (enum tofu_policy policy)
125 case TOFU_POLICY_NONE: return "none";
126 case TOFU_POLICY_AUTO: return "auto";
127 case TOFU_POLICY_GOOD: return "good";
128 case TOFU_POLICY_UNKNOWN: return "unknown";
129 case TOFU_POLICY_BAD: return "bad";
130 case TOFU_POLICY_ASK: return "ask";
131 default: return "???";
135 /* Convert a binding policy (e.g., TOFU_POLICY_BAD) to a trust level
136 (e.g., TRUST_BAD) in light of the current configuration. */
138 tofu_policy_to_trust_level (enum tofu_policy policy)
140 if (policy == TOFU_POLICY_AUTO)
141 /* If POLICY is AUTO, fallback to OPT.TOFU_DEFAULT_POLICY. */
142 policy = opt.tofu_default_policy;
146 case TOFU_POLICY_AUTO:
147 /* If POLICY and OPT.TOFU_DEFAULT_POLICY are both AUTO, default
148 to marginal trust. */
149 return TRUST_MARGINAL;
150 case TOFU_POLICY_GOOD:
152 case TOFU_POLICY_UNKNOWN:
153 return TRUST_UNKNOWN;
154 case TOFU_POLICY_BAD:
156 case TOFU_POLICY_ASK:
157 return TRUST_UNKNOWN;
159 log_bug ("Bad value for trust policy: %d\n",
160 opt.tofu_default_policy);
167 /* Start a transaction on DB. If ONLY_BATCH is set, then this will
168 start a batch transaction if we haven't started a batch transaction
169 and one has been requested. */
171 begin_transaction (ctrl_t ctrl, int only_batch)
173 tofu_dbs_t dbs = ctrl->tofu.dbs;
179 /* If we've been in batch update mode for a while (on average, more
180 * than 500 ms), to prevent starving other gpg processes, we drop
181 * and retake the batch lock.
183 * Note: gnupg_get_time has a one second resolution, if we wanted a
184 * higher resolution, we could use npth_clock_gettime. */
185 if (/* No real transactions. */
186 dbs->in_transaction == 0
187 /* There is an open batch transaction. */
188 && dbs->in_batch_transaction
189 /* And some time has gone by since it was started. */
190 && dbs->batch_update_started != gnupg_get_time ())
194 /* If we are in a batch update, then batch updates better have
196 log_assert (ctrl->tofu.batch_updated_wanted);
198 /* Check if another process wants to run. (We just ignore any
199 * stat failure. A waiter might have to wait a bit longer, but
200 * otherwise there should be no impact.) */
201 if (stat (dbs->want_lock_file, &statbuf) == 0
202 && statbuf.st_ctime != dbs->want_lock_file_ctime)
204 end_transaction (ctrl, 2);
206 /* Yield to allow another process a chance to run. Note:
207 * testing suggests that anything less than a 100ms tends to
208 * not result in the other process getting the lock. */
209 gnupg_usleep (100000);
212 dbs->batch_update_started = gnupg_get_time ();
215 if (/* We don't have an open batch transaction. */
216 !dbs->in_batch_transaction
217 && (/* Batch mode is enabled or we are starting a new transaction. */
218 ctrl->tofu.batch_updated_wanted || dbs->in_transaction == 0))
222 /* We are in batch mode, but we don't have an open batch
223 * transaction. Since the batch save point must be the outer
224 * save point, it must be taken before the inner save point. */
225 log_assert (dbs->in_transaction == 0);
227 rc = gpgsql_stepx (dbs->db, &dbs->s.savepoint_batch,
229 "begin immediate transaction;", GPGSQL_ARG_END);
232 log_error (_("error beginning transaction on TOFU database: %s\n"),
235 return gpg_error (GPG_ERR_GENERAL);
238 dbs->in_batch_transaction = 1;
239 dbs->batch_update_started = gnupg_get_time ();
241 if (stat (dbs->want_lock_file, &statbuf) == 0)
242 dbs->want_lock_file_ctime = statbuf.st_ctime;
248 log_assert (dbs->in_transaction >= 0);
249 dbs->in_transaction ++;
251 rc = gpgsql_exec_printf (dbs->db, NULL, NULL, &err,
252 "savepoint inner%d;",
253 dbs->in_transaction);
256 log_error (_("error beginning transaction on TOFU database: %s\n"),
259 return gpg_error (GPG_ERR_GENERAL);
266 /* Commit a transaction. If ONLY_BATCH is 1, then this only ends the
267 * batch transaction if we have left batch mode. If ONLY_BATCH is 2,
268 * this commits any open batch transaction even if we are still in
271 end_transaction (ctrl_t ctrl, int only_batch)
273 tofu_dbs_t dbs = ctrl->tofu.dbs;
277 if (only_batch || (! only_batch && dbs->in_transaction == 1))
280 return 0; /* Shortcut to allow for easier cleanup code. */
282 /* If we are releasing the batch transaction, then we better not
283 be in a normal transaction. */
285 log_assert (dbs->in_transaction == 0);
287 if (/* Batch mode disabled? */
288 (!ctrl->tofu.batch_updated_wanted || only_batch == 2)
289 /* But, we still have an open batch transaction? */
290 && dbs->in_batch_transaction)
292 /* The batch transaction is still in open, but we've left
294 dbs->in_batch_transaction = 0;
295 dbs->in_transaction = 0;
297 rc = gpgsql_stepx (dbs->db, &dbs->s.savepoint_batch_commit,
299 "commit transaction;", GPGSQL_ARG_END);
302 log_error (_("error committing transaction on TOFU database: %s\n"),
305 return gpg_error (GPG_ERR_GENERAL);
316 log_assert (dbs->in_transaction > 0);
318 rc = gpgsql_exec_printf (dbs->db, NULL, NULL, &err,
319 "release inner%d;", dbs->in_transaction);
321 dbs->in_transaction --;
325 log_error (_("error committing transaction on TOFU database: %s\n"),
328 return gpg_error (GPG_ERR_GENERAL);
336 rollback_transaction (ctrl_t ctrl)
338 tofu_dbs_t dbs = ctrl->tofu.dbs;
343 log_assert (dbs->in_transaction > 0);
345 /* Be careful to not undo any progress made by closed transactions in
347 rc = gpgsql_exec_printf (dbs->db, NULL, NULL, &err,
348 "rollback to inner%d;",
349 dbs->in_transaction);
351 dbs->in_transaction --;
355 log_error (_("error rolling back transaction on TOFU database: %s\n"),
358 return gpg_error (GPG_ERR_GENERAL);
365 tofu_begin_batch_update (ctrl_t ctrl)
367 ctrl->tofu.batch_updated_wanted ++;
371 tofu_end_batch_update (ctrl_t ctrl)
373 log_assert (ctrl->tofu.batch_updated_wanted > 0);
374 ctrl->tofu.batch_updated_wanted --;
375 end_transaction (ctrl, 1);
378 /* Suspend any extant batch transaction (it is safe to call this even
379 no batch transaction has been started). Note: you cannot suspend a
380 batch transaction if you are in a normal transaction. The batch
381 transaction can be resumed explicitly by calling
382 tofu_resume_batch_transaction or implicitly by starting a normal
385 tofu_suspend_batch_transaction (ctrl_t ctrl)
387 end_transaction (ctrl, 2);
390 /* Resume a batch transaction if there is no extant batch transaction
391 and one has been requested using tofu_begin_batch_transaction. */
393 tofu_resume_batch_transaction (ctrl_t ctrl)
395 begin_transaction (ctrl, 1);
400 /* Wrapper around strtol which prints a warning in case of a
401 * conversion error. On success the converted value is stored at
402 * R_VALUE and 0 is returned; on error FALLBACK is stored at R_VALUE
403 * and an error code is returned. */
405 string_to_long (long *r_value, const char *string, long fallback, int line)
410 gpg_err_set_errno (0);
411 *r_value = strtol (string, &tail, 0);
412 if (errno || !(!strcmp (tail, ".0") || !*tail))
414 err = errno? gpg_error_from_errno (errno) : gpg_error (GPG_ERR_BAD_DATA);
415 log_debug ("%s:%d: strtol failed for TOFU DB data; returned string"
416 " (string='%.10s%s'; tail='%.10s%s'): %s\n",
418 string, string && strlen(string) > 10 ? "..." : "",
419 tail, tail && strlen(tail) > 10 ? "..." : "",
430 /* Wrapper around strtoul which prints a warning in case of a
431 * conversion error. On success the converted value is stored at
432 * R_VALUE and 0 is returned; on error FALLBACK is stored at R_VALUE
433 * and an error code is returned. */
435 string_to_ulong (unsigned long *r_value, const char *string,
436 unsigned long fallback, int line)
441 gpg_err_set_errno (0);
442 *r_value = strtoul (string, &tail, 0);
443 if (errno || !(!strcmp (tail, ".0") || !*tail))
445 err = errno? gpg_error_from_errno (errno) : gpg_error (GPG_ERR_BAD_DATA);
446 log_debug ("%s:%d: strtoul failed for TOFU DB data; returned string"
447 " (string='%.10s%s'; tail='%.10s%s'): %s\n",
449 string, string && strlen(string) > 10 ? "..." : "",
450 tail, tail && strlen(tail) > 10 ? "..." : "",
462 /* Collect results of a select count (*) ...; style query. Aborts if
463 the argument is not a valid integer (or real of the form X.0). */
465 get_single_unsigned_long_cb (void *cookie, int argc, char **argv,
468 unsigned long int *count = cookie;
472 log_assert (argc == 1);
474 if (string_to_ulong (count, argv[0], 0, __LINE__))
475 return 1; /* Abort. */
480 get_single_unsigned_long_cb2 (void *cookie, int argc, char **argv,
481 char **azColName, sqlite3_stmt *stmt)
484 return get_single_unsigned_long_cb (cookie, argc, argv, azColName);
487 /* We expect a single integer column whose name is "version". COOKIE
488 must point to an int. This function always aborts. On error or a
489 if the version is bad, sets *VERSION to -1. */
491 version_check_cb (void *cookie, int argc, char **argv, char **azColName)
493 int *version = cookie;
495 if (argc != 1 || strcmp (azColName[0], "version") != 0)
501 if (strcmp (argv[0], "1") == 0)
505 log_error (_("unsupported TOFU database version: %s\n"), argv[0]);
509 /* Don't run again. */
514 check_utks (sqlite3 *db)
518 struct key_item *utks;
521 char *utks_string = NULL;
522 char keyid_str[16+1];
523 long utks_unchanged = 0;
525 /* An early version of the v1 format did not include the list of
526 * known ultimately trusted keys.
528 * This list is used to detect when the set of ultimately trusted
529 * keys changes. We need to detect this to invalidate the effective
530 * policy, which can change if an ultimately trusted key is added or
532 rc = sqlite3_exec (db,
533 "create table if not exists ultimately_trusted_keys"
538 log_error (_("error creating 'ultimately_trusted_keys' TOFU table: %s\n"),
546 for (ki = utks, utk_count = 0; ki; ki = ki->next, utk_count ++)
551 /* Build a list of keyids of the form "XXX","YYY","ZZZ". */
552 int len = (1 + 16 + 1 + 1) * utk_count;
555 utks_string = xmalloc (len);
557 for (ki = utks, utk_count = 0; ki; ki = ki->next, utk_count ++)
559 utks_string[o ++] = '\'';
560 format_keyid (ki->kid, KF_LONG,
561 keyid_str, sizeof (keyid_str));
562 memcpy (&utks_string[o], keyid_str, 16);
564 utks_string[o ++] = '\'';
565 utks_string[o ++] = ',';
567 utks_string[o - 1] = 0;
568 log_assert (o == len);
571 rc = gpgsql_exec_printf
572 (db, get_single_unsigned_long_cb, &utks_unchanged, &err,
574 /* Removed UTKs? (Known UTKs in current UTKs.) */
575 " ((select count(*) from ultimately_trusted_keys"
576 " where (keyid in (%s))) == %d)"
579 " ((select count(*) from ultimately_trusted_keys"
580 " where keyid not in (%s)) == 0);",
581 utks_string ? utks_string : "",
583 utks_string ? utks_string : "");
587 log_error (_("TOFU DB error"));
588 print_further_info ("checking if ultimately trusted keys changed: %s",
598 log_debug ("TOFU: ultimately trusted keys changed.\n");
600 /* Given that the set of ultimately trusted keys
601 * changed, clear any cached policies. */
602 rc = gpgsql_exec_printf
603 (db, NULL, NULL, &err,
604 "update bindings set effective_policy = %d;",
608 log_error (_("TOFU DB error"));
609 print_further_info ("clearing cached policies: %s", err);
614 /* Now, update the UTK table. */
615 rc = sqlite3_exec (db,
616 "drop table ultimately_trusted_keys;",
620 log_error (_("TOFU DB error"));
621 print_further_info ("dropping ultimately_trusted_keys: %s", err);
626 rc = sqlite3_exec (db,
627 "create table if not exists"
628 " ultimately_trusted_keys (keyid);\n",
632 log_error (_("TOFU DB error"));
633 print_further_info ("creating ultimately_trusted_keys: %s", err);
638 for (ki = utks; ki; ki = ki->next)
640 format_keyid (ki->kid, KF_LONG,
641 keyid_str, sizeof (keyid_str));
642 rc = gpgsql_exec_printf
643 (db, NULL, NULL, &err,
644 "insert into ultimately_trusted_keys values ('%s');",
648 log_error (_("TOFU DB error"));
649 print_further_info ("updating ultimately_trusted_keys: %s",
660 /* If the DB is new, initialize it. Otherwise, check the DB's
663 Return 0 if the database is okay and 1 otherwise. */
669 unsigned long int count;
672 rc = sqlite3_exec (db, "begin transaction;", NULL, NULL, &err);
675 log_error (_("error beginning transaction on TOFU database: %s\n"),
681 /* If the DB has no tables, then assume this is a new DB that needs
682 to be initialized. */
683 rc = sqlite3_exec (db,
684 "select count(*) from sqlite_master where type='table';",
685 get_single_unsigned_long_cb, &count, &err);
688 log_error (_("error reading TOFU database: %s\n"), err);
689 print_further_info ("query available tables");
694 /* Assume that the DB is already initialized. Make sure the
697 rc = sqlite3_exec (db, "select version from version;", version_check_cb,
699 if (rc == SQLITE_ABORT && version == 1)
700 /* Happy, happy, joy, joy. */
706 else if (rc == SQLITE_ABORT && version == -1)
707 /* Unsupported version. */
709 /* An error message was already displayed. */
716 log_error (_("error determining TOFU database's version: %s\n"), err);
722 /* Unexpected success. This can only happen if there are no
723 rows. (select returned 0, but expected ABORT.) */
724 log_error (_("error determining TOFU database's version: %s\n"),
725 gpg_strerror (GPG_ERR_NO_DATA));
731 /* Create the version table. */
732 rc = sqlite3_exec (db,
733 "create table version (version INTEGER);",
737 log_error (_("error initializing TOFU database: %s\n"), err);
738 print_further_info ("create version");
743 /* Initialize the version table, which contains a single integer
745 rc = sqlite3_exec (db,
746 "insert into version values (1);",
750 log_error (_("error initializing TOFU database: %s\n"), err);
751 print_further_info ("insert version");
756 /* The list of <fingerprint, email> bindings and auxiliary data.
758 * OID is a unique ID identifying this binding (and used by the
759 * signatures table, see below). Note: OIDs will never be
762 * FINGERPRINT: The key's fingerprint.
764 * EMAIL: The normalized email address.
766 * USER_ID: The unmodified user id from which EMAIL was extracted.
768 * TIME: The time this binding was first observed.
770 * POLICY: The trust policy (TOFU_POLICY_BAD, etc. as an integer).
772 * CONFLICT is either NULL or a fingerprint. Assume that we have
773 * a binding <0xdeadbeef, foo@example.com> and then we observe
774 * <0xbaddecaf, foo@example.com>. There two bindings conflict
775 * (they have the same email address). When we observe the
776 * latter binding, we warn the user about the conflict and ask
777 * for a policy decision about the new binding. We also change
778 * the old binding's policy to ask if it was auto. So that we
779 * know why this occurred, we also set conflict to 0xbaddecaf.
781 rc = gpgsql_exec_printf
782 (db, NULL, NULL, &err,
783 "create table bindings\n"
784 " (oid INTEGER PRIMARY KEY AUTOINCREMENT,\n"
785 " fingerprint TEXT, email TEXT, user_id TEXT, time INTEGER,\n"
786 " policy INTEGER CHECK (policy in (%d, %d, %d, %d, %d)),\n"
787 " conflict STRING,\n"
788 " unique (fingerprint, email));\n"
789 "create index bindings_fingerprint_email\n"
790 " on bindings (fingerprint, email);\n"
791 "create index bindings_email on bindings (email);\n",
792 TOFU_POLICY_AUTO, TOFU_POLICY_GOOD, TOFU_POLICY_UNKNOWN,
793 TOFU_POLICY_BAD, TOFU_POLICY_ASK);
796 log_error (_("error initializing TOFU database: %s\n"), err);
797 print_further_info ("create bindings");
802 /* The signatures that we have observed.
804 * BINDING refers to a record in the bindings table, which
805 * describes the binding (i.e., this is a foreign key that
806 * references bindings.oid).
808 * SIG_DIGEST is the digest stored in the signature.
810 * SIG_TIME is the timestamp stored in the signature.
812 * ORIGIN is a free-form string that describes who fed this
813 * signature to GnuPG (e.g., email:claws).
815 * TIME is the time this signature was registered. */
816 rc = sqlite3_exec (db,
817 "create table signatures "
818 " (binding INTEGER NOT NULL, sig_digest TEXT,"
819 " origin TEXT, sig_time INTEGER, time INTEGER,"
820 " primary key (binding, sig_digest, origin));",
824 log_error (_("error initializing TOFU database: %s\n"), err);
825 print_further_info ("create signatures");
833 /* Early version of the v1 format did not include the encryption
835 rc = sqlite3_exec (db,
836 "create table if not exists encryptions"
837 " (binding INTEGER NOT NULL,"
839 "create index if not exists encryptions_binding"
840 " on encryptions (binding);\n",
844 log_error (_("error creating 'encryptions' TOFU table: %s\n"),
851 /* The effective policy for a binding. If a key is ultimately
852 * trusted, then the effective policy of all of its bindings is
853 * good. Likewise if a key is signed by an ultimately trusted
854 * key, etc. If the effective policy is NONE, then we need to
855 * recompute the effective policy. Otherwise, the effective
856 * policy is considered to be up to date, i.e., effective_policy
857 * is a cache of the computed policy. */
858 rc = gpgsql_exec_printf
859 (db, NULL, NULL, &err,
860 "alter table bindings"
861 " add column effective_policy INTEGER"
863 " CHECK (effective_policy in (%d, %d, %d, %d, %d, %d));",
865 TOFU_POLICY_NONE, TOFU_POLICY_AUTO, TOFU_POLICY_GOOD,
866 TOFU_POLICY_UNKNOWN, TOFU_POLICY_BAD, TOFU_POLICY_ASK);
869 if (rc == SQLITE_ERROR)
870 /* Almost certainly "duplicate column name", which we can
874 log_error (_("adding column effective_policy to bindings DB: %s\n"),
881 rc = check_utks (db);
885 rc = sqlite3_exec (db, "rollback;", NULL, NULL, &err);
888 log_error (_("error rolling back transaction on TOFU database: %s\n"),
896 rc = sqlite3_exec (db, "end transaction;", NULL, NULL, &err);
899 log_error (_("error committing transaction on TOFU database: %s\n"),
909 busy_handler (void *cookie, int call_count)
911 ctrl_t ctrl = cookie;
912 tofu_dbs_t dbs = ctrl->tofu.dbs;
916 /* Update the want-lock-file time stamp (specifically, the ctime) so
917 * that the current owner knows that we (well, someone) want the
921 /* Note: we don't fail if we can't create the lock file: this
922 * process will have to wait a bit longer, but otherwise nothing
923 * horrible should happen. */
927 fp = es_fopen (dbs->want_lock_file, "w");
929 log_debug ("TOFU: Error opening '%s': %s\n",
930 dbs->want_lock_file, strerror (errno));
939 /* Create a new DB handle. Returns NULL on error. */
940 /* FIXME: Change to return an error code for better reporting by the
943 opendbs (ctrl_t ctrl)
951 filename = make_filename (gnupg_homedir (), "tofu.db", NULL);
953 rc = sqlite3_open (filename, &db);
956 log_error (_("error opening TOFU database '%s': %s\n"),
957 filename, sqlite3_errmsg (db));
958 /* Even if an error occurs, DB is guaranteed to be valid. */
963 /* If a DB is locked wait up to 5 seconds for the lock to be cleared
967 sqlite3_busy_timeout (db, 5 * 1000);
968 sqlite3_busy_handler (db, busy_handler, ctrl);
971 if (db && initdb (db))
979 ctrl->tofu.dbs = xmalloc_clear (sizeof *ctrl->tofu.dbs);
980 ctrl->tofu.dbs->db = db;
981 ctrl->tofu.dbs->want_lock_file = xasprintf ("%s-want-lock", filename);
987 log_assert (ctrl->tofu.dbs->db);
989 return ctrl->tofu.dbs;
993 /* Release all of the resources associated with the DB handle. */
995 tofu_closedbs (ctrl_t ctrl)
998 sqlite3_stmt **statements;
1000 dbs = ctrl->tofu.dbs;
1002 return; /* Not initialized. */
1004 log_assert (dbs->in_transaction == 0);
1006 end_transaction (ctrl, 2);
1008 /* Arghh, that is a surprising use of the struct. */
1009 for (statements = (void *) &dbs->s;
1010 (void *) statements < (void *) &(&dbs->s)[1];
1012 sqlite3_finalize (*statements);
1014 sqlite3_close (dbs->db);
1015 xfree (dbs->want_lock_file);
1017 ctrl->tofu.dbs = NULL;
1021 /* Collect results of a select min (foo) ...; style query. Aborts if
1022 the argument is not a valid integer (or real of the form X.0). */
1024 get_single_long_cb (void *cookie, int argc, char **argv, char **azColName)
1026 long *count = cookie;
1030 log_assert (argc == 1);
1032 if (string_to_long (count, argv[0], 0, __LINE__))
1033 return 1; /* Abort. */
1039 get_single_long_cb2 (void *cookie, int argc, char **argv, char **azColName,
1043 return get_single_long_cb (cookie, argc, argv, azColName);
1046 /* Record (or update) a trust policy about a (possibly new)
1049 If SHOW_OLD is set, the binding's old policy is displayed. */
1051 record_binding (tofu_dbs_t dbs, const char *fingerprint, const char *email,
1052 const char *user_id,
1053 enum tofu_policy policy, enum tofu_policy effective_policy,
1054 const char *conflict, int set_conflict,
1055 int show_old, time_t now)
1057 char *fingerprint_pp = format_hexfingerprint (fingerprint, NULL, 0);
1061 if (! (policy == TOFU_POLICY_AUTO
1062 || policy == TOFU_POLICY_GOOD
1063 || policy == TOFU_POLICY_UNKNOWN
1064 || policy == TOFU_POLICY_BAD
1065 || policy == TOFU_POLICY_ASK))
1066 log_bug ("%s: Bad value for policy (%d)!\n", __func__, policy);
1069 if (DBG_TRUST || show_old)
1071 /* Get the old policy. Since this is just for informational
1072 * purposes, there is no need to start a transaction or to die
1073 * if there is a failure. */
1075 /* policy_old needs to be a long and not an enum tofu_policy,
1076 because we pass it by reference to get_single_long_cb2, which
1078 long policy_old = TOFU_POLICY_NONE;
1081 (dbs->db, &dbs->s.record_binding_get_old_policy,
1082 get_single_long_cb2, &policy_old, &err,
1083 "select policy from bindings where fingerprint = ? and email = ?",
1084 GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
1088 log_debug ("TOFU: Error reading from binding database"
1089 " (reading policy for <key: %s, user id: %s>): %s\n",
1090 fingerprint, email, err);
1094 if (policy_old != TOFU_POLICY_NONE)
1095 (show_old ? log_info : log_debug)
1096 ("Changing TOFU trust policy for binding"
1097 " <key: %s, user id: %s> from %s to %s.\n",
1098 fingerprint, show_old ? user_id : email,
1099 tofu_policy_str (policy_old),
1100 tofu_policy_str (policy));
1102 (show_old ? log_info : log_debug)
1103 ("Setting TOFU trust policy for new binding"
1104 " <key: %s, user id: %s> to %s.\n",
1105 fingerprint, show_old ? user_id : email,
1106 tofu_policy_str (policy));
1111 log_info ("TOFU database update skipped due to --dry-run\n");
1117 (dbs->db, &dbs->s.record_binding_update, NULL, NULL, &err,
1118 "insert or replace into bindings\n"
1119 " (oid, fingerprint, email, user_id, time,"
1120 " policy, conflict, effective_policy)\n"
1122 /* If we don't explicitly reuse the OID, then SQLite will
1123 * reallocate a new one. We just need to search for the OID
1124 * based on the fingerprint and email since they are unique. */
1125 " (select oid from bindings where fingerprint = ? and email = ?),\n"
1127 /* If SET_CONFLICT is 0, then preserve conflict's current value. */
1130 " (select conflict from bindings where fingerprint = ? and email = ?)"
1135 GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
1136 /* values 2 through 6. */
1137 GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
1138 GPGSQL_ARG_STRING, user_id,
1139 GPGSQL_ARG_LONG_LONG, (long long) now,
1140 GPGSQL_ARG_INT, (int) policy,
1141 /* conflict subquery. */
1142 GPGSQL_ARG_INT, set_conflict ? 1 : 0,
1143 GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
1144 GPGSQL_ARG_STRING, conflict ? conflict : "",
1145 GPGSQL_ARG_INT, (int) effective_policy,
1149 log_error (_("error updating TOFU database: %s\n"), err);
1150 print_further_info (" insert bindings <key: %s, user id: %s> = %s",
1151 fingerprint, email, tofu_policy_str (policy));
1157 xfree (fingerprint_pp);
1162 /* Collect the strings returned by a query in a simple string list.
1163 Any NULL values are converted to the empty string.
1165 If a result has 3 rows and each row contains two columns, then the
1166 results are added to the list as follows (the value is parentheses
1167 is the 1-based index in the final list):
1176 This is because add_to_strlist pushes the results onto the front of
1177 the list. The end result is that the rows are backwards, but the
1178 columns are in the expected order. */
1180 strings_collect_cb (void *cookie, int argc, char **argv, char **azColName)
1183 strlist_t *strlist = cookie;
1187 for (i = argc - 1; i >= 0; i --)
1188 add_to_strlist (strlist, argv[i] ? argv[i] : "");
1194 strings_collect_cb2 (void *cookie, int argc, char **argv, char **azColName,
1198 return strings_collect_cb (cookie, argc, argv, azColName);
1202 /* Auxiliary data structure to collect statistics about
1204 struct signature_stats
1206 struct signature_stats *next;
1208 /* The user-assigned policy for this binding. */
1209 enum tofu_policy policy;
1211 /* How long ago the signature was created (rounded to a multiple of
1212 TIME_AGO_UNIT_SMALL, etc.). */
1214 /* Number of signatures during this time. */
1215 unsigned long count;
1217 /* If the corresponding key/user id has been expired / revoked. */
1221 /* The key that generated this signature. */
1222 char fingerprint[1];
1226 signature_stats_free (struct signature_stats *stats)
1230 struct signature_stats *next = stats->next;
1237 signature_stats_prepend (struct signature_stats **statsp,
1238 const char *fingerprint,
1239 enum tofu_policy policy,
1241 unsigned long count)
1243 struct signature_stats *stats =
1244 xmalloc_clear (sizeof (*stats) + strlen (fingerprint));
1246 stats->next = *statsp;
1249 strcpy (stats->fingerprint, fingerprint);
1250 stats->policy = policy;
1251 stats->time_ago = time_ago;
1252 stats->count = count;
1256 /* Process rows that contain the four columns:
1258 <fingerprint, policy, time ago, count>. */
1260 signature_stats_collect_cb (void *cookie, int argc, char **argv,
1261 char **azColName, sqlite3_stmt *stmt)
1263 struct signature_stats **statsp = cookie;
1265 enum tofu_policy policy;
1267 unsigned long count;
1275 if (string_to_long (&along, argv[i], 0, __LINE__))
1276 return 1; /* Abort */
1284 if (string_to_long (&time_ago, argv[i], 0, __LINE__))
1285 return 1; /* Abort. */
1289 /* If time_ago is NULL, then we had no messages, but we still have a
1290 single row, which count(*) turns into 1. */
1295 if (string_to_ulong (&count, argv[i], 0, __LINE__))
1296 return 1; /* Abort */
1300 log_assert (argc == i);
1302 signature_stats_prepend (statsp, argv[0], policy, time_ago, count);
1307 /* Format the first part of a conflict message and return that as a
1308 * malloced string. */
1310 format_conflict_msg_part1 (int policy, strlist_t conflict_set,
1315 char *tmpstr, *text;
1317 log_assert (conflict_set);
1318 fingerprint = conflict_set->d;
1320 fp = es_fopenmem (0, "rw,samethread");
1322 log_fatal ("error creating memory stream: %s\n",
1323 gpg_strerror (gpg_error_from_syserror()));
1325 if (policy == TOFU_POLICY_NONE)
1328 _("This is the first time the email address \"%s\" is "
1329 "being used with key %s."),
1330 email, fingerprint);
1333 else if (policy == TOFU_POLICY_ASK && conflict_set->next)
1335 int conflicts = strlist_length (conflict_set);
1337 (fp, ngettext("The email address \"%s\" is associated with %d key!",
1338 "The email address \"%s\" is associated with %d keys!",
1343 _(" Since this binding's policy was 'auto', it has been "
1344 "changed to 'ask'."));
1349 _("Please indicate whether this email address should"
1350 " be associated with key %s or whether you think someone"
1351 " is impersonating \"%s\"."),
1352 fingerprint, email);
1353 es_fputc ('\n', fp);
1356 if (es_fclose_snatch (fp, (void **)&tmpstr, NULL))
1357 log_fatal ("error snatching memory stream\n");
1358 text = format_text (tmpstr, 0, 72, 80);
1365 /* Return 1 if A signed B and B signed A. */
1367 cross_sigs (const char *email, kbnode_t a, kbnode_t b)
1371 PKT_public_key *a_pk = a->pkt->pkt.public_key;
1372 PKT_public_key *b_pk = b->pkt->pkt.public_key;
1379 format_keyid (pk_main_keyid (a_pk),
1380 KF_LONG, a_keyid, sizeof (a_keyid));
1381 format_keyid (pk_main_keyid (b_pk),
1382 KF_LONG, b_keyid, sizeof (b_keyid));
1385 for (i = 0; i < 2; i ++)
1387 /* See if SIGNER signed SIGNEE. */
1389 kbnode_t signer = i == 0 ? a : b;
1390 kbnode_t signee = i == 0 ? b : a;
1392 PKT_public_key *signer_pk = signer->pkt->pkt.public_key;
1393 u32 *signer_kid = pk_main_keyid (signer_pk);
1398 /* Iterate over SIGNEE's keyblock and see if there is a valid
1399 signature from SIGNER. */
1400 for (n = signee; n; n = n->next)
1404 if (n->pkt->pkttype == PKT_USER_ID)
1407 /* We're done: we've processed all signatures on the
1412 /* See if this is the matching user id. */
1413 PKT_user_id *user_id = n->pkt->pkt.user_id;
1414 char *email2 = email_from_user_id (user_id->name);
1416 if (strcmp (email, email2) == 0)
1426 if (n->pkt->pkttype != PKT_SIGNATURE)
1429 sig = n->pkt->pkt.signature;
1431 if (! (sig->sig_class == 0x10
1432 || sig->sig_class == 0x11
1433 || sig->sig_class == 0x12
1434 || sig->sig_class == 0x13))
1435 /* Not a signature over a user id. */
1438 /* SIG is on SIGNEE's keyblock. If SIG was generated by the
1439 signer, then it's a match. */
1440 if (keyid_cmp (sig->keyid, signer_kid) == 0)
1445 /* We didn't find a signature from signer over signee. */
1448 log_debug ("No cross sig between %s and %s\n",
1454 /* A signed B and B signed A. */
1456 log_debug ("Cross sig between %s and %s\n",
1462 /* Return whether the key was signed by an ultimately trusted key. */
1464 signed_by_utk (const char *email, kbnode_t a)
1469 for (n = a; n; n = n->next)
1473 if (n->pkt->pkttype == PKT_USER_ID)
1476 /* We're done: we've processed all signatures on the
1481 /* See if this is the matching user id. */
1482 PKT_user_id *user_id = n->pkt->pkt.user_id;
1483 char *email2 = email_from_user_id (user_id->name);
1485 if (strcmp (email, email2) == 0)
1495 if (n->pkt->pkttype != PKT_SIGNATURE)
1498 sig = n->pkt->pkt.signature;
1500 if (! (sig->sig_class == 0x10
1501 || sig->sig_class == 0x11
1502 || sig->sig_class == 0x12
1503 || sig->sig_class == 0x13))
1504 /* Not a signature over a user id. */
1507 /* SIG is on SIGNEE's keyblock. If SIG was generated by the
1508 signer, then it's a match. */
1509 if (tdb_keyid_is_utk (sig->keyid))
1513 log_debug ("TOFU: %s is signed by an ultimately trusted key.\n",
1514 pk_keyid_str (a->pkt->pkt.public_key));
1521 log_debug ("TOFU: %s is NOT signed by an ultimately trusted key.\n",
1522 pk_keyid_str (a->pkt->pkt.public_key));
1530 BINDING_NEW = 1 << 0,
1531 BINDING_CONFLICT = 1 << 1,
1532 BINDING_EXPIRED = 1 << 2,
1533 BINDING_REVOKED = 1 << 3
1537 /* Ask the user about the binding. There are three ways we could end
1540 * - This is a new binding and there is a conflict
1541 * (policy == TOFU_POLICY_NONE && conflict_set_count > 1),
1543 * - This is a new binding and opt.tofu_default_policy is set to
1544 * ask. (policy == TOFU_POLICY_NONE && opt.tofu_default_policy ==
1545 * TOFU_POLICY_ASK), or,
1547 * - The policy is ask (the user deferred last time) (policy ==
1550 * Note: this function must not be called while in a transaction!
1552 * CONFLICT_SET includes all of the conflicting bindings
1553 * with FINGERPRINT first. FLAGS is a bit-wise or of
1557 ask_about_binding (ctrl_t ctrl,
1558 enum tofu_policy *policy,
1560 strlist_t conflict_set,
1561 const char *fingerprint,
1563 const char *user_id,
1568 int conflict_set_count = strlist_length (conflict_set);
1572 strlist_t other_user_ids = NULL;
1573 struct signature_stats *stats = NULL;
1574 struct signature_stats *stats_iter = NULL;
1575 char *prompt = NULL;
1578 dbs = ctrl->tofu.dbs;
1580 log_assert (dbs->in_transaction == 0);
1582 fp = es_fopenmem (0, "rw,samethread");
1584 log_fatal ("error creating memory stream: %s\n",
1585 gpg_strerror (gpg_error_from_syserror()));
1588 char *text = format_conflict_msg_part1 (*policy, conflict_set, email);
1589 es_fputs (text, fp);
1590 es_fputc ('\n', fp);
1594 begin_transaction (ctrl, 0);
1596 /* Find other user ids associated with this key and whether the
1597 * bindings are marked as good or bad. */
1599 (dbs->db, &dbs->s.get_trust_gather_other_user_ids,
1600 strings_collect_cb2, &other_user_ids, &sqerr,
1601 "select user_id, policy from bindings where fingerprint = ?;",
1602 GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_END);
1605 log_error (_("error gathering other user IDs: %s\n"), sqerr);
1606 sqlite3_free (sqerr);
1608 rc = gpg_error (GPG_ERR_GENERAL);
1613 strlist_t strlist_iter;
1615 es_fprintf (fp, _("This key's user IDs:\n"));
1616 for (strlist_iter = other_user_ids;
1618 strlist_iter = strlist_iter->next)
1620 char *other_user_id = strlist_iter->d;
1622 enum tofu_policy other_policy;
1624 log_assert (strlist_iter->next);
1625 strlist_iter = strlist_iter->next;
1626 other_thing = strlist_iter->d;
1628 other_policy = atoi (other_thing);
1630 es_fprintf (fp, " %s (", other_user_id);
1631 es_fprintf (fp, _("policy: %s"), tofu_policy_str (other_policy));
1632 es_fprintf (fp, ")\n");
1634 es_fprintf (fp, "\n");
1636 free_strlist (other_user_ids);
1639 /* Get the stats for all the keys in CONFLICT_SET. */
1640 strlist_rev (&conflict_set);
1641 for (iter = conflict_set; iter && ! rc; iter = iter->next)
1643 #define STATS_SQL(table, time, sign) \
1644 "select fingerprint, policy, time_ago, count(*)\n" \
1646 " (select bindings.*,\n" \
1648 " when delta ISNULL then 1\n" \
1649 /* From the future (but if its just a couple of hours in the \
1650 * future don't turn it into a warning)? Or should we use \
1651 * small, medium or large units? (Note: whatever we do, we \
1652 * keep the value in seconds. Then when we group, everything \
1653 * that rounds to the same number of seconds is grouped.) */ \
1654 " when delta < -("STRINGIFY (TIME_AGO_FUTURE_IGNORE)") then 2\n" \
1655 " when delta < ("STRINGIFY (TIME_AGO_SMALL_THRESHOLD)")\n" \
1657 " when delta < ("STRINGIFY (TIME_AGO_MEDIUM_THRESHOLD)")\n" \
1659 " when delta < ("STRINGIFY (TIME_AGO_LARGE_THRESHOLD)")\n" \
1662 " end time_ago,\n" \
1663 " delta time_ago_raw\n" \
1664 " from bindings\n" \
1667 " cast(? - " time " as real) delta\n" \
1668 " from " table ") ss\n" \
1669 " on ss.binding = bindings.oid)\n" \
1670 " where email = ? and fingerprint = ?\n" \
1671 " group by time_ago\n" \
1672 /* Make sure the current key is first. */ \
1673 " order by time_ago desc;\n"
1675 /* Use the time when we saw the signature, not when the
1676 signature was created as that can be forged. */
1678 (dbs->db, &dbs->s.get_trust_gather_signature_stats,
1679 signature_stats_collect_cb, &stats, &sqerr,
1680 STATS_SQL ("signatures", "time", ""),
1681 GPGSQL_ARG_LONG_LONG, (long long) now,
1682 GPGSQL_ARG_STRING, email,
1683 GPGSQL_ARG_STRING, iter->d,
1687 rc = gpg_error (GPG_ERR_GENERAL);
1691 if (!stats || strcmp (iter->d, stats->fingerprint) != 0)
1692 /* No stats for this binding. Add a dummy entry. */
1693 signature_stats_prepend (&stats, iter->d, TOFU_POLICY_AUTO, 1, 1);
1696 (dbs->db, &dbs->s.get_trust_gather_encryption_stats,
1697 signature_stats_collect_cb, &stats, &sqerr,
1698 STATS_SQL ("encryptions", "time", "-"),
1699 GPGSQL_ARG_LONG_LONG, (long long) now,
1700 GPGSQL_ARG_STRING, email,
1701 GPGSQL_ARG_STRING, iter->d,
1705 rc = gpg_error (GPG_ERR_GENERAL);
1711 if (!stats || strcmp (iter->d, stats->fingerprint) != 0
1712 || stats->time_ago > 0)
1713 /* No stats for this binding. Add a dummy entry. */
1714 signature_stats_prepend (&stats, iter->d, TOFU_POLICY_AUTO, -1, 1);
1716 end_transaction (ctrl, 0);
1717 strlist_rev (&conflict_set);
1720 strlist_t strlist_iter;
1722 log_error (_("error gathering signature stats: %s\n"), sqerr);
1723 sqlite3_free (sqerr);
1726 es_fprintf (fp, ngettext("The email address \"%s\" is"
1727 " associated with %d key:\n",
1728 "The email address \"%s\" is"
1729 " associated with %d keys:\n",
1730 conflict_set_count),
1731 email, conflict_set_count);
1732 for (strlist_iter = conflict_set;
1734 strlist_iter = strlist_iter->next)
1735 es_fprintf (fp, " %s\n", strlist_iter->d);
1741 int seen_in_past = 0;
1744 es_fprintf (fp, _("Statistics for keys"
1745 " with the email address \"%s\":\n"),
1747 for (stats_iter = stats; stats_iter; stats_iter = stats_iter->next)
1750 log_debug ("%s: time_ago: %ld; count: %ld\n",
1751 stats_iter->fingerprint,
1752 stats_iter->time_ago,
1756 if (stats_iter->time_ago > 0 && encrypted)
1758 /* We've change from the encrypted stats to the verified
1759 * stats. Reset SEEN_IN_PAST. */
1764 if (! key || strcmp (key, stats_iter->fingerprint))
1769 key = stats_iter->fingerprint;
1770 this_key = strcmp (key, fingerprint) == 0;
1771 key_pp = format_hexfingerprint (key, NULL, 0);
1772 es_fprintf (fp, " %s (", key_pp);
1774 /* Find the associated binding. */
1775 for (binding = conflict_set;
1777 binding = binding->next)
1778 if (strcmp (key, binding->d) == 0)
1780 log_assert (binding);
1782 if ((binding->flags & BINDING_REVOKED))
1784 es_fprintf (fp, _("revoked"));
1785 es_fprintf (fp, _(", "));
1787 else if ((binding->flags & BINDING_EXPIRED))
1789 es_fprintf (fp, _("expired"));
1790 es_fprintf (fp, _(", "));
1794 es_fprintf (fp, _("this key"));
1796 es_fprintf (fp, _("policy: %s"),
1797 tofu_policy_str (stats_iter->policy));
1798 es_fputs ("):\n", fp);
1803 show_statistics (dbs, stats_iter->fingerprint, email,
1804 TOFU_POLICY_ASK, NULL, 1, now);
1807 if (labs(stats_iter->time_ago) == 1)
1809 /* The 1 in this case is the NULL entry. */
1810 log_assert (stats_iter->count == 1);
1811 stats_iter->count = 0;
1813 seen_in_past += stats_iter->count;
1817 if (!stats_iter->count)
1819 if (stats_iter->time_ago > 0)
1820 es_fprintf (fp, ngettext("Verified %d message.",
1821 "Verified %d messages.",
1822 seen_in_past), seen_in_past);
1824 es_fprintf (fp, ngettext("Encrypted %d message.",
1825 "Encrypted %d messages.",
1826 seen_in_past), seen_in_past);
1828 else if (labs(stats_iter->time_ago) == 2)
1830 if (stats_iter->time_ago > 0)
1831 es_fprintf (fp, ngettext("Verified %d message in the future.",
1832 "Verified %d messages in the future.",
1833 seen_in_past), seen_in_past);
1835 es_fprintf (fp, ngettext("Encrypted %d message in the future.",
1836 "Encrypted %d messages in the future.",
1837 seen_in_past), seen_in_past);
1843 if (labs(stats_iter->time_ago) == 3)
1845 int days = 1 + stats_iter->time_ago / TIME_AGO_UNIT_SMALL;
1846 if (stats_iter->time_ago > 0)
1849 ngettext("Messages verified over the past %d day: %d.",
1850 "Messages verified over the past %d days: %d.",
1851 days), days, seen_in_past);
1855 ngettext("Messages encrypted over the past %d day: %d.",
1856 "Messages encrypted over the past %d days: %d.",
1857 days), days, seen_in_past);
1859 else if (labs(stats_iter->time_ago) == 4)
1861 int months = 1 + stats_iter->time_ago / TIME_AGO_UNIT_MEDIUM;
1862 if (stats_iter->time_ago > 0)
1865 ngettext("Messages verified over the past %d month: %d.",
1866 "Messages verified over the past %d months: %d.",
1867 months), months, seen_in_past);
1871 ngettext("Messages encrypted over the past %d month: %d.",
1872 "Messages encrypted over the past %d months: %d.",
1873 months), months, seen_in_past);
1875 else if (labs(stats_iter->time_ago) == 5)
1877 int years = 1 + stats_iter->time_ago / TIME_AGO_UNIT_LARGE;
1878 if (stats_iter->time_ago > 0)
1881 ngettext("Messages verified over the past %d year: %d.",
1882 "Messages verified over the past %d years: %d.",
1883 years), years, seen_in_past);
1887 ngettext("Messages encrypted over the past %d year: %d.",
1888 "Messages encrypted over the past %d years: %d.",
1889 years), years, seen_in_past);
1891 else if (labs(stats_iter->time_ago) == 6)
1893 if (stats_iter->time_ago > 0)
1895 (fp, _("Messages verified in the past: %d."),
1899 (fp, _("Messages encrypted in the past: %d."),
1903 log_assert (! "Broken SQL.\n");
1905 es_fputs ("\n", fp);
1909 if (conflict_set_count > 1 || (conflict_set->flags & BINDING_CONFLICT))
1911 /* This is a conflict. */
1913 /* TRANSLATORS: Please translate the text found in the source
1914 * file below. We don't directly internationalize that text so
1915 * that we can tweak it without breaking translations. */
1916 char *text = _("TOFU detected a binding conflict");
1918 if (!strcmp (text, "TOFU detected a binding conflict"))
1920 /* No translation. Use the English text. */
1922 "Normally, an email address is associated with a single key. "
1923 "However, people sometimes generate a new key if "
1924 "their key is too old or they think it might be compromised. "
1925 "Alternatively, a new key may indicate a man-in-the-middle "
1926 "attack! Before accepting this association, you should talk to or "
1927 "call the person to make sure this new key is legitimate.";
1929 textbuf = format_text (text, 0, 72, 80);
1930 es_fprintf (fp, "\n%s\n", textbuf);
1934 es_fputc ('\n', fp);
1936 /* Add a NUL terminator. */
1938 if (es_fclose_snatch (fp, (void **) &prompt, NULL))
1939 log_fatal ("error snatching memory stream\n");
1941 /* I think showing the large message once is sufficient. If we
1942 * would move it right before the cpr_get many lines will scroll
1943 * away and the user might not realize that he merely entered a
1944 * wrong choise (because he does not see that either). As a small
1945 * benefit we allow C-L to redisplay everything. */
1946 tty_printf ("%s", prompt);
1948 /* Suspend any transaction: it could take a while until the user
1950 tofu_suspend_batch_transaction (ctrl);
1955 /* TRANSLATORS: Two letters (normally the lower and upper case
1956 * version of the hotkey) for each of the five choices. If
1957 * there is only one choice in your language, repeat it. */
1958 choices = _("gG" "aA" "uU" "rR" "bB");
1959 if (strlen (choices) != 10)
1960 log_bug ("Bad TOFU conflict translation! Please report.");
1964 _("(G)ood, (A)ccept once, (U)nknown, (R)eject once, (B)ad? "));
1965 trim_spaces (response);
1967 if (*response == CONTROL_L)
1968 tty_printf ("%s", prompt);
1969 else if (!response[0])
1970 /* Default to unknown. Don't save it. */
1972 tty_printf (_("Defaulting to unknown.\n"));
1973 *policy = TOFU_POLICY_UNKNOWN;
1976 else if (!response[1])
1978 char *choice = strchr (choices, *response);
1982 int c = ((size_t) choice - (size_t) choices) / 2;
1987 *policy = TOFU_POLICY_GOOD;
1988 *trust_level = tofu_policy_to_trust_level (*policy);
1990 case 1: /* Accept once. */
1991 *policy = TOFU_POLICY_ASK;
1992 *trust_level = tofu_policy_to_trust_level (TOFU_POLICY_GOOD);
1994 case 2: /* Unknown. */
1995 *policy = TOFU_POLICY_UNKNOWN;
1996 *trust_level = tofu_policy_to_trust_level (*policy);
1998 case 3: /* Reject once. */
1999 *policy = TOFU_POLICY_ASK;
2000 *trust_level = tofu_policy_to_trust_level (TOFU_POLICY_BAD);
2003 *policy = TOFU_POLICY_BAD;
2004 *trust_level = tofu_policy_to_trust_level (*policy);
2007 log_bug ("c should be between 0 and 4 but it is %d!", c);
2010 if (record_binding (dbs, fingerprint, email, user_id,
2011 *policy, TOFU_POLICY_NONE, NULL, 0, 0, now))
2013 /* If there's an error registering the
2014 * binding, don't save the signature. */
2015 *trust_level = _tofu_GET_TRUST_ERROR;
2023 tofu_resume_batch_transaction (ctrl);
2027 signature_stats_free (stats);
2030 /* Return the set of keys that conflict with the binding <fingerprint,
2031 email> (including the binding itself, which will be first in the
2032 list). For each returned key also sets BINDING_NEW, etc. */
2034 build_conflict_set (tofu_dbs_t dbs,
2035 PKT_public_key *pk, const char *fingerprint,
2040 strlist_t conflict_set = NULL;
2041 int conflict_set_count;
2047 /* Get the fingerprints of any bindings that share the email address
2048 * and whether the bindings have a known conflict.
2050 * Note: if the binding in question is in the DB, it will also be
2051 * returned. Thus, if the result set is empty, then <email,
2052 * fingerprint> is a new binding. */
2054 (dbs->db, &dbs->s.get_trust_bindings_with_this_email,
2055 strings_collect_cb2, &conflict_set, &sqerr,
2057 /* A binding should only appear once, but try not to break in the
2058 * case of corruption. */
2059 " fingerprint || case sum(conflict NOTNULL) when 0 then '' else '!' end"
2060 " from bindings where email = ?"
2061 " group by fingerprint"
2062 /* Make sure the current key comes first in the result list (if
2064 " order by fingerprint = ? asc, fingerprint desc;",
2065 GPGSQL_ARG_STRING, email,
2066 GPGSQL_ARG_STRING, fingerprint,
2070 log_error (_("error reading TOFU database: %s\n"), sqerr);
2071 print_further_info ("listing fingerprints");
2072 sqlite3_free (sqerr);
2073 rc = gpg_error (GPG_ERR_GENERAL);
2077 /* Set BINDING_CONFLICT if the binding has a known conflict. This
2078 * allows us to distinguish between bindings where the user
2079 * explicitly set the policy to ask and bindings where we set the
2080 * policy to ask due to a conflict. */
2081 for (iter = conflict_set; iter; iter = iter->next)
2083 int l = strlen (iter->d);
2084 if (!(l == 2 * MAX_FINGERPRINT_LEN
2085 || l == 2 * MAX_FINGERPRINT_LEN + 1))
2087 log_error (_("TOFU db corruption detected.\n"));
2088 print_further_info ("fingerprint '%s' is not %d characters long",
2089 iter->d, 2 * MAX_FINGERPRINT_LEN);
2092 if (l >= 1 && iter->d[l - 1] == '!')
2094 iter->flags |= BINDING_CONFLICT;
2100 /* If the current binding has not yet been recorded, add it to the
2101 * list. (The order by above ensures that if it is present, it will
2103 if (! (conflict_set && strcmp (conflict_set->d, fingerprint) == 0))
2105 add_to_strlist (&conflict_set, fingerprint);
2106 conflict_set->flags |= BINDING_NEW;
2109 conflict_set_count = strlist_length (conflict_set);
2111 /* Eliminate false conflicts. */
2113 if (conflict_set_count == 1)
2114 /* We only have a single key. There are no false conflicts to
2115 eliminate. But, we do need to set the flags. */
2117 if (pk->has_expired)
2118 conflict_set->flags |= BINDING_EXPIRED;
2119 if (pk->flags.revoked)
2120 conflict_set->flags |= BINDING_REVOKED;
2122 return conflict_set;
2125 /* If two keys have cross signatures, then they are controlled by
2126 * the same person and thus are not in conflict. */
2127 kb_all = xcalloc (sizeof (kb_all[0]), conflict_set_count);
2129 for (i = 0, iter = conflict_set;
2130 i < conflict_set_count;
2131 i ++, iter = iter->next)
2134 KEYDB_SEARCH_DESC desc;
2136 PKT_public_key *binding_pk;
2140 rc = keydb_search_reset (hd);
2143 log_error (_("resetting keydb: %s\n"),
2148 rc = classify_user_id (fp, &desc, 0);
2151 log_error (_("error parsing key specification '%s': %s\n"),
2152 fp, gpg_strerror (rc));
2156 rc = keydb_search (hd, &desc, 1, NULL);
2159 /* Note: it is entirely possible that we don't have the key
2160 corresponding to an entry in the TOFU DB. This can
2161 happen if we merge two TOFU DBs, but not the key
2163 log_info (_("key \"%s\" not found: %s\n"),
2164 fp, gpg_strerror (rc));
2168 rc = keydb_get_keyblock (hd, &kb);
2171 log_error (_("error reading keyblock: %s\n"),
2173 print_further_info ("fingerprint: %s", fp);
2177 merge_keys_and_selfsig (kb);
2179 log_assert (kb->pkt->pkttype == PKT_PUBLIC_KEY);
2183 /* Since we have the key block, use this opportunity to figure
2184 * out if the binding is expired or revoked. */
2185 binding_pk = kb->pkt->pkt.public_key;
2187 /* The binding is always expired/revoked if the key is
2188 * expired/revoked. */
2189 if (binding_pk->has_expired)
2190 iter->flags |= BINDING_EXPIRED;
2191 if (binding_pk->flags.revoked)
2192 iter->flags |= BINDING_REVOKED;
2194 /* The binding is also expired/revoked if the user id is
2195 * expired/revoked. */
2198 while ((n = find_next_kbnode (n, PKT_USER_ID)) && ! found_user_id)
2200 PKT_user_id *user_id2 = n->pkt->pkt.user_id;
2203 if (user_id2->attrib_data)
2206 email2 = email_from_user_id (user_id2->name);
2208 if (strcmp (email, email2) == 0)
2212 if (user_id2->is_revoked)
2213 iter->flags |= BINDING_REVOKED;
2214 if (user_id2->is_expired)
2215 iter->flags |= BINDING_EXPIRED;
2221 if (! found_user_id)
2223 log_info (_("TOFU db corruption detected.\n"));
2224 print_further_info ("user id '%s' not on key block '%s'",
2225 email, fingerprint);
2230 /* Now that we have the key blocks, check for cross sigs. */
2234 strlist_t iter_next;
2237 log_assert (conflict_set_count > 0);
2238 die = xtrycalloc (conflict_set_count, sizeof *die);
2241 /*err = gpg_error_from_syserror ();*/
2242 xoutofcore (); /* Fixme: Let the fucntion return an error. */
2245 for (i = 0; i < conflict_set_count; i ++)
2247 /* Look for cross sigs between this key (i == 0) or a key
2248 * that has cross sigs with i == 0 (i.e., transitively) */
2249 if (! (i == 0 || die[i]))
2252 for (j = i + 1; j < conflict_set_count; j ++)
2253 /* Be careful: we might not have a key block for a key. */
2254 if (kb_all[i] && kb_all[j] && cross_sigs (email, kb_all[i], kb_all[j]))
2258 /* Free unconflicting bindings (and all of the key blocks). */
2259 for (iter = conflict_set, prevp = &conflict_set, i = 0;
2261 iter = iter_next, i ++)
2263 iter_next = iter->next;
2265 release_kbnode (kb_all[i]);
2271 free_strlist (iter);
2272 conflict_set_count --;
2276 prevp = &iter->next;
2280 /* We shouldn't have removed the head. */
2281 log_assert (conflict_set);
2282 log_assert (conflict_set_count >= 1);
2289 log_debug ("binding <key: %s, email: %s> conflicts:\n",
2290 fingerprint, email);
2291 for (iter = conflict_set; iter; iter = iter->next)
2293 log_debug (" %s:%s%s%s%s\n",
2295 (iter->flags & BINDING_NEW) ? " new" : "",
2296 (iter->flags & BINDING_CONFLICT) ? " known_conflict" : "",
2297 (iter->flags & BINDING_EXPIRED) ? " expired" : "",
2298 (iter->flags & BINDING_REVOKED) ? " revoked" : "");
2302 return conflict_set;
2306 /* Return the effective policy for the binding <FINGERPRINT, EMAIL>
2307 * (email has already been normalized) and any conflict information in
2308 * *CONFLICT_SETP, if CONFLICT_SETP is not NULL. Returns
2309 * _tofu_GET_POLICY_ERROR if an error occurs.
2311 * This function registers the binding in the bindings table if it has
2312 * not yet been registered.
2314 static enum tofu_policy
2315 get_policy (tofu_dbs_t dbs, PKT_public_key *pk,
2316 const char *fingerprint, const char *user_id, const char *email,
2317 strlist_t *conflict_setp, time_t now)
2321 strlist_t results = NULL;
2322 enum tofu_policy policy = _tofu_GET_POLICY_ERROR;
2323 enum tofu_policy effective_policy_orig = TOFU_POLICY_NONE;
2324 enum tofu_policy effective_policy = _tofu_GET_POLICY_ERROR;
2326 char *conflict_orig = NULL;
2327 char *conflict = NULL;
2328 strlist_t conflict_set = NULL;
2329 int conflict_set_count;
2331 /* Check if the <FINGERPRINT, EMAIL> binding is known
2332 (TOFU_POLICY_NONE cannot appear in the DB. Thus, if POLICY is
2333 still TOFU_POLICY_NONE after executing the query, then the
2334 result set was empty.) */
2335 rc = gpgsql_stepx (dbs->db, &dbs->s.get_policy_select_policy_and_conflict,
2336 strings_collect_cb2, &results, &err,
2337 "select policy, conflict, effective_policy from bindings\n"
2338 " where fingerprint = ? and email = ?",
2339 GPGSQL_ARG_STRING, fingerprint,
2340 GPGSQL_ARG_STRING, email,
2344 log_error (_("error reading TOFU database: %s\n"), err);
2345 print_further_info ("reading the policy");
2347 rc = gpg_error (GPG_ERR_GENERAL);
2351 if (strlist_length (results) == 0)
2353 /* No results. Use the defaults. */
2354 policy = TOFU_POLICY_NONE;
2355 effective_policy = TOFU_POLICY_NONE;
2357 else if (strlist_length (results) == 3)
2359 /* Parse and sanity check the results. */
2361 if (string_to_long (&along, results->d, 0, __LINE__))
2363 log_error (_("error reading TOFU database: %s\n"),
2364 gpg_strerror (GPG_ERR_BAD_DATA));
2365 print_further_info ("bad value for policy: %s", results->d);
2370 if (! (policy == TOFU_POLICY_AUTO
2371 || policy == TOFU_POLICY_GOOD
2372 || policy == TOFU_POLICY_UNKNOWN
2373 || policy == TOFU_POLICY_BAD
2374 || policy == TOFU_POLICY_ASK))
2376 log_error (_("error reading TOFU database: %s\n"),
2377 gpg_strerror (GPG_ERR_DB_CORRUPTED));
2378 print_further_info ("invalid value for policy (%d)", policy);
2379 effective_policy = _tofu_GET_POLICY_ERROR;
2383 if (*results->next->d)
2384 conflict = xstrdup (results->next->d);
2386 if (string_to_long (&along, results->next->next->d, 0, __LINE__))
2388 log_error (_("error reading TOFU database: %s\n"),
2389 gpg_strerror (GPG_ERR_BAD_DATA));
2390 print_further_info ("bad value for effective policy: %s",
2391 results->next->next->d);
2394 effective_policy = along;
2396 if (! (effective_policy == TOFU_POLICY_NONE
2397 || effective_policy == TOFU_POLICY_AUTO
2398 || effective_policy == TOFU_POLICY_GOOD
2399 || effective_policy == TOFU_POLICY_UNKNOWN
2400 || effective_policy == TOFU_POLICY_BAD
2401 || effective_policy == TOFU_POLICY_ASK))
2403 log_error (_("error reading TOFU database: %s\n"),
2404 gpg_strerror (GPG_ERR_DB_CORRUPTED));
2405 print_further_info ("invalid value for effective_policy (%d)",
2407 effective_policy = _tofu_GET_POLICY_ERROR;
2413 /* The result has the wrong form. */
2415 log_error (_("error reading TOFU database: %s\n"),
2416 gpg_strerror (GPG_ERR_BAD_DATA));
2417 print_further_info ("reading policy: expected 3 columns, got %d\n",
2418 strlist_length (results));
2422 /* Save the effective policy and conflict so we know if we changed
2424 effective_policy_orig = effective_policy;
2425 conflict_orig = conflict;
2427 /* Unless there is a conflict, if the effective policy is cached,
2428 * just return it. The reason we don't do this when there is a
2429 * conflict is because of the following scenario: assume A and B
2430 * conflict and B has signed A's key. Now, later we import A's
2431 * signature on B. We need to recheck A, but the signature was on
2432 * B, i.e., when B changes, we invalidate B's effective policy, but
2433 * we also need to invalidate A's effective policy. Instead, we
2434 * assume that conflicts are rare and don't optimize for them, which
2435 * would complicate the code. */
2436 if (effective_policy != TOFU_POLICY_NONE && !conflict)
2439 /* If the user explicitly set the policy, then respect that. */
2440 if (policy != TOFU_POLICY_AUTO && policy != TOFU_POLICY_NONE)
2442 effective_policy = policy;
2446 /* Unless proven wrong, assume the effective policy is 'auto'. */
2447 effective_policy = TOFU_POLICY_AUTO;
2449 /* See if the key is ultimately trusted. */
2453 keyid_from_pk (pk, kid);
2454 if (tdb_keyid_is_utk (kid))
2456 effective_policy = TOFU_POLICY_GOOD;
2461 /* See if the key is signed by an ultimately trusted key. */
2463 int fingerprint_raw_len = strlen (fingerprint) / 2;
2464 char fingerprint_raw[20];
2467 if (fingerprint_raw_len != sizeof fingerprint_raw
2468 || ((len = hex2bin (fingerprint,
2469 fingerprint_raw, fingerprint_raw_len))
2470 != strlen (fingerprint)))
2473 log_debug ("TOFU: Bad fingerprint: %s (len: %zu, parsed: %d)\n",
2474 fingerprint, strlen (fingerprint), len);
2481 lookup_err = get_pubkey_byfprint (NULL, &kb,
2483 fingerprint_raw_len);
2487 log_debug ("TOFU: Looking up %s: %s\n",
2488 fingerprint, gpg_strerror (lookup_err));
2492 int is_signed_by_utk = signed_by_utk (email, kb);
2493 release_kbnode (kb);
2494 if (is_signed_by_utk)
2496 effective_policy = TOFU_POLICY_GOOD;
2503 /* Check for any conflicts / see if a previously discovered conflict
2504 * disappeared. The latter can happen if the conflicting bindings
2505 * are now cross signed, for instance. */
2507 conflict_set = build_conflict_set (dbs, pk, fingerprint, email);
2508 conflict_set_count = strlist_length (conflict_set);
2509 if (conflict_set_count == 0)
2511 /* build_conflict_set should always at least return the current
2512 binding. Something went wrong. */
2513 effective_policy = _tofu_GET_POLICY_ERROR;
2517 if (conflict_set_count == 1
2518 && (conflict_set->flags & BINDING_NEW))
2520 /* We've never observed a binding with this email address and we
2521 * have a default policy, which is not to ask the user. */
2523 /* If we've seen this binding, then we've seen this email and
2524 * policy couldn't possibly be TOFU_POLICY_NONE. */
2525 log_assert (policy == TOFU_POLICY_NONE);
2528 log_debug ("TOFU: New binding <key: %s, user id: %s>, no conflict.\n",
2529 fingerprint, email);
2531 effective_policy = TOFU_POLICY_AUTO;
2535 if (conflict_set_count == 1
2536 && (conflict_set->flags & BINDING_CONFLICT))
2538 /* No known conflicts now, but there was a conflict. This means
2539 * at some point, there was a conflict and we changed this
2540 * binding's policy to ask and set the conflicting key. The
2541 * conflict can go away if there is not a cross sig between the
2542 * two keys. In this case, just silently clear the conflict and
2543 * reset the policy to auto. */
2546 log_debug ("TOFU: binding <key: %s, user id: %s> had a conflict, but it's been resolved (probably via cross sig).\n",
2547 fingerprint, email);
2549 effective_policy = TOFU_POLICY_AUTO;
2555 if (conflict_set_count == 1)
2557 /* No conflicts and never marked as conflicting. */
2559 log_assert (!conflict);
2561 effective_policy = TOFU_POLICY_AUTO;
2566 /* There is a conflicting key. */
2567 log_assert (conflict_set_count > 1);
2568 effective_policy = TOFU_POLICY_ASK;
2569 conflict = xstrdup (conflict_set->next->d);
2572 log_assert (policy == _tofu_GET_POLICY_ERROR
2573 || policy == TOFU_POLICY_NONE
2574 || policy == TOFU_POLICY_AUTO
2575 || policy == TOFU_POLICY_GOOD
2576 || policy == TOFU_POLICY_UNKNOWN
2577 || policy == TOFU_POLICY_BAD
2578 || policy == TOFU_POLICY_ASK);
2579 /* Everything but NONE. */
2580 log_assert (effective_policy == _tofu_GET_POLICY_ERROR
2581 || effective_policy == TOFU_POLICY_AUTO
2582 || effective_policy == TOFU_POLICY_GOOD
2583 || effective_policy == TOFU_POLICY_UNKNOWN
2584 || effective_policy == TOFU_POLICY_BAD
2585 || effective_policy == TOFU_POLICY_ASK);
2587 if (effective_policy != TOFU_POLICY_ASK && conflict)
2590 /* If we don't have a record of this binding, its effective policy
2591 * changed, or conflict changed, update the DB. */
2592 if (effective_policy != _tofu_GET_POLICY_ERROR
2593 && (/* New binding. */
2594 policy == TOFU_POLICY_NONE
2595 /* effective_policy changed. */
2596 || effective_policy != effective_policy_orig
2597 /* conflict changed. */
2598 || (conflict != conflict_orig
2599 && (!conflict || !conflict_orig
2600 || strcmp (conflict, conflict_orig) != 0))))
2602 if (record_binding (dbs, fingerprint, email, user_id,
2603 policy == TOFU_POLICY_NONE ? TOFU_POLICY_AUTO : policy,
2604 effective_policy, conflict, 1, 0, now) != 0)
2605 log_error (_("error setting TOFU binding's policy"
2606 " to %s\n"), tofu_policy_str (policy));
2609 /* If the caller wants the set of conflicts, return it. */
2610 if (effective_policy == TOFU_POLICY_ASK && conflict_setp)
2613 conflict_set = build_conflict_set (dbs, pk, fingerprint, email);
2614 *conflict_setp = conflict_set;
2618 free_strlist (conflict_set);
2621 *conflict_setp = NULL;
2624 xfree (conflict_orig);
2625 if (conflict != conflict_orig)
2627 free_strlist (results);
2629 return effective_policy;
2633 /* Return the trust level (TRUST_NEVER, etc.) for the binding
2634 * <FINGERPRINT, EMAIL> (email is already normalized). If no policy
2635 * is registered, returns TOFU_POLICY_NONE. If an error occurs,
2636 * returns _tofu_GET_TRUST_ERROR.
2638 * PK is the public key object for FINGERPRINT.
2640 * USER_ID is the unadulterated user id.
2642 * If MAY_ASK is set, then we may interact with the user. This is
2643 * necessary if there is a conflict or the binding's policy is
2644 * TOFU_POLICY_ASK. In the case of a conflict, we set the new
2645 * conflicting binding's policy to TOFU_POLICY_ASK. In either case,
2646 * we return TRUST_UNDEFINED. Note: if MAY_ASK is set, then this
2647 * function must not be called while in a transaction! */
2648 static enum tofu_policy
2649 get_trust (ctrl_t ctrl, PKT_public_key *pk,
2650 const char *fingerprint, const char *email,
2651 const char *user_id, int may_ask,
2652 enum tofu_policy *policyp, strlist_t *conflict_setp,
2655 tofu_dbs_t dbs = ctrl->tofu.dbs;
2656 int in_transaction = 0;
2657 enum tofu_policy policy;
2660 strlist_t conflict_set = NULL;
2661 int trust_level = TRUST_UNKNOWN;
2667 log_assert (dbs->in_transaction == 0);
2672 log_assert (pk_is_primary (pk));
2674 /* Make sure _tofu_GET_TRUST_ERROR isn't equal to any of the trust
2676 log_assert (_tofu_GET_TRUST_ERROR != TRUST_UNKNOWN
2677 && _tofu_GET_TRUST_ERROR != TRUST_EXPIRED
2678 && _tofu_GET_TRUST_ERROR != TRUST_UNDEFINED
2679 && _tofu_GET_TRUST_ERROR != TRUST_NEVER
2680 && _tofu_GET_TRUST_ERROR != TRUST_MARGINAL
2681 && _tofu_GET_TRUST_ERROR != TRUST_FULLY
2682 && _tofu_GET_TRUST_ERROR != TRUST_ULTIMATE);
2684 begin_transaction (ctrl, 0);
2687 /* We need to call get_policy even if the key is ultimately trusted
2688 * to make sure the binding has been registered. */
2689 policy = get_policy (dbs, pk, fingerprint, user_id, email,
2690 &conflict_set, now);
2692 /* If the key is ultimately trusted, there is nothing to do. */
2696 keyid_from_pk (pk, kid);
2697 if (tdb_keyid_is_utk (kid))
2699 trust_level = TRUST_ULTIMATE;
2700 policy = TOFU_POLICY_GOOD;
2705 if (policy == TOFU_POLICY_AUTO)
2707 policy = opt.tofu_default_policy;
2709 log_debug ("TOFU: binding <key: %s, user id: %s>'s policy is"
2710 " auto (default: %s).\n",
2712 tofu_policy_str (opt.tofu_default_policy));
2716 case TOFU_POLICY_AUTO:
2717 case TOFU_POLICY_GOOD:
2718 case TOFU_POLICY_UNKNOWN:
2719 case TOFU_POLICY_BAD:
2720 /* The saved judgement is auto -> auto, good, unknown or bad.
2721 * We don't need to ask the user anything. */
2723 log_debug ("TOFU: Known binding <key: %s, user id: %s>'s policy: %s\n",
2724 fingerprint, email, tofu_policy_str (policy));
2725 trust_level = tofu_policy_to_trust_level (policy);
2728 case TOFU_POLICY_ASK:
2729 /* We need to ask the user what to do. */
2732 case _tofu_GET_POLICY_ERROR:
2733 trust_level = _tofu_GET_TRUST_ERROR;
2737 log_bug ("%s: Impossible value for policy (%d)\n", __func__, policy);
2743 * 1. The saved policy is auto and the default policy is ask
2744 * (get_policy() == TOFU_POLICY_AUTO
2745 * && opt.tofu_default_policy == TOFU_POLICY_ASK)
2747 * 2. The saved policy is ask (either last time the user selected
2748 * accept once or reject once or there was a conflict and this
2749 * binding's policy was changed from auto to ask)
2750 * (policy == TOFU_POLICY_ASK).
2752 log_assert (policy == TOFU_POLICY_ASK);
2756 /* We can't be in a normal transaction in ask_about_binding. */
2757 end_transaction (ctrl, 0);
2760 /* If we get here, we need to ask the user about the binding. */
2761 ask_about_binding (ctrl,
2772 trust_level = TRUST_UNDEFINED;
2775 /* Mark any conflicting bindings that have an automatic policy as
2776 * now requiring confirmation. Note: we do this after we ask for
2777 * confirmation so that when the current policy is printed, it is
2779 if (! in_transaction)
2781 begin_transaction (ctrl, 0);
2785 /* The conflict set should always contain at least one element:
2786 * the current key. */
2787 log_assert (conflict_set);
2789 for (iter = conflict_set->next; iter; iter = iter->next)
2791 /* We don't immediately set the effective policy to 'ask,
2793 rc = gpgsql_exec_printf
2794 (dbs->db, NULL, NULL, &sqerr,
2795 "update bindings set effective_policy = %d, conflict = %Q"
2796 " where email = %Q and fingerprint = %Q and effective_policy != %d;",
2797 TOFU_POLICY_NONE, fingerprint,
2798 email, iter->d, TOFU_POLICY_ASK);
2801 log_error (_("error changing TOFU policy: %s\n"), sqerr);
2802 print_further_info ("binding: <key: %s, user id: %s>",
2803 fingerprint, user_id);
2804 sqlite3_free (sqerr);
2806 rc = gpg_error (GPG_ERR_GENERAL);
2809 log_debug ("Set %s to conflict with %s\n",
2810 iter->d, fingerprint);
2815 end_transaction (ctrl, 0);
2821 *conflict_setp = conflict_set;
2823 free_strlist (conflict_set);
2829 /* Return a malloced string of the form
2831 * The caller should replace all '~' in the returned string by a space
2832 * and also free the returned string.
2834 * This is actually a bad hack which may not work correctly with all
2838 time_ago_str (long long int t)
2840 /* It would be nice to use a macro to do this, but gettext
2841 works on the unpreprocessed code. */
2842 #define MIN_SECS (60)
2843 #define HOUR_SECS (60 * MIN_SECS)
2844 #define DAY_SECS (24 * HOUR_SECS)
2845 #define WEEK_SECS (7 * DAY_SECS)
2846 #define MONTH_SECS (30 * DAY_SECS)
2847 #define YEAR_SECS (365 * DAY_SECS)
2849 if (t > 2 * YEAR_SECS)
2851 long long int c = t / YEAR_SECS;
2852 return xtryasprintf (ngettext("%lld~year", "%lld~years", c), c);
2854 if (t > 2 * MONTH_SECS)
2856 long long int c = t / MONTH_SECS;
2857 return xtryasprintf (ngettext("%lld~month", "%lld~months", c), c);
2859 if (t > 2 * WEEK_SECS)
2861 long long int c = t / WEEK_SECS;
2862 return xtryasprintf (ngettext("%lld~week", "%lld~weeks", c), c);
2864 if (t > 2 * DAY_SECS)
2866 long long int c = t / DAY_SECS;
2867 return xtryasprintf (ngettext("%lld~day", "%lld~days", c), c);
2869 if (t > 2 * HOUR_SECS)
2871 long long int c = t / HOUR_SECS;
2872 return xtryasprintf (ngettext("%lld~hour", "%lld~hours", c), c);
2874 if (t > 2 * MIN_SECS)
2876 long long int c = t / MIN_SECS;
2877 return xtryasprintf (ngettext("%lld~minute", "%lld~minutes", c), c);
2879 return xtryasprintf (ngettext("%lld~second", "%lld~seconds", t), t);
2883 /* If FP is NULL, write TOFU_STATS status line. If FP is not NULL
2884 * write a "tfs" record to that stream. */
2886 write_stats_status (estream_t fp,
2887 enum tofu_policy policy,
2888 unsigned long signature_count,
2889 unsigned long signature_first_seen,
2890 unsigned long signature_most_recent,
2891 unsigned long signature_days,
2892 unsigned long encryption_count,
2893 unsigned long encryption_first_done,
2894 unsigned long encryption_most_recent,
2895 unsigned long encryption_days)
2901 /* Use the euclidean distance (m = sqrt(a^2 + b^2)) rather then the
2902 sum of the magnitudes (m = a + b) to ensure a balance between
2903 verified signatures and encrypted messages. */
2904 days = sqrtu32 (signature_days * signature_days
2905 + encryption_days * encryption_days);
2908 validity = 1; /* Key without history. */
2909 else if (days < 2 * BASIC_TRUST_THRESHOLD)
2910 validity = 2; /* Key with too little history. */
2911 else if (days < 2 * FULL_TRUST_THRESHOLD)
2912 validity = 3; /* Key with enough history for basic trust. */
2914 validity = 4; /* Key with a lot of history. */
2916 if (policy == TOFU_POLICY_ASK)
2917 summary = 0; /* Key requires attention. */
2923 es_fprintf (fp, "tfs:1:%d:%lu:%lu:%s:%lu:%lu:%lu:%lu:%d:%lu:%lu:\n",
2924 summary, signature_count, encryption_count,
2925 tofu_policy_str (policy),
2926 signature_first_seen, signature_most_recent,
2927 encryption_first_done, encryption_most_recent,
2928 validity, signature_days, encryption_days);
2932 write_status_printf (STATUS_TOFU_STATS,
2933 "%d %lu %lu %s %lu %lu %lu %lu %d %lu %lu",
2937 tofu_policy_str (policy),
2938 signature_first_seen,
2939 signature_most_recent,
2940 encryption_first_done,
2941 encryption_most_recent,
2943 signature_days, encryption_days);
2947 /* Note: If OUTFP is not NULL, this function merely prints a "tfs" record
2950 * POLICY is the key's policy (as returned by get_policy).
2952 * Returns 0 if if ONLY_STATUS_FD is set. Otherwise, returns whether
2953 * the caller should call show_warning after iterating over all user
2957 show_statistics (tofu_dbs_t dbs,
2958 const char *fingerprint, const char *email,
2959 enum tofu_policy policy,
2960 estream_t outfp, int only_status_fd, time_t now)
2962 char *fingerprint_pp;
2964 strlist_t strlist = NULL;
2967 unsigned long signature_first_seen = 0;
2968 unsigned long signature_most_recent = 0;
2969 unsigned long signature_count = 0;
2970 unsigned long signature_days = 0;
2971 unsigned long encryption_first_done = 0;
2972 unsigned long encryption_most_recent = 0;
2973 unsigned long encryption_count = 0;
2974 unsigned long encryption_days = 0;
2976 int show_warning = 0;
2978 if (only_status_fd && ! is_status_enabled ())
2981 fingerprint_pp = format_hexfingerprint (fingerprint, NULL, 0);
2983 /* Get the signature stats. */
2984 rc = gpgsql_exec_printf
2985 (dbs->db, strings_collect_cb, &strlist, &err,
2986 "select count (*), min (signatures.time), max (signatures.time)\n"
2987 " from signatures\n"
2988 " left join bindings on signatures.binding = bindings.oid\n"
2989 " where fingerprint = %Q and email = %Q;",
2990 fingerprint, email);
2993 log_error (_("error reading TOFU database: %s\n"), err);
2994 print_further_info ("getting signature statistics");
2996 rc = gpg_error (GPG_ERR_GENERAL);
2999 rc = gpgsql_exec_printf
3000 (dbs->db, strings_collect_cb, &strlist, &err,
3001 "select count (*) from\n"
3002 " (select round(signatures.time / (24 * 60 * 60)) day\n"
3003 " from signatures\n"
3004 " left join bindings on signatures.binding = bindings.oid\n"
3005 " where fingerprint = %Q and email = %Q\n"
3007 fingerprint, email);
3010 log_error (_("error reading TOFU database: %s\n"), err);
3011 print_further_info ("getting signature statistics (by day)");
3013 rc = gpg_error (GPG_ERR_GENERAL);
3019 /* We expect exactly 4 elements. */
3020 log_assert (strlist->next);
3021 log_assert (strlist->next->next);
3022 log_assert (strlist->next->next->next);
3023 log_assert (! strlist->next->next->next->next);
3025 string_to_ulong (&signature_days, strlist->d, -1, __LINE__);
3026 string_to_ulong (&signature_count, strlist->next->d, -1, __LINE__);
3027 string_to_ulong (&signature_first_seen,
3028 strlist->next->next->d, -1, __LINE__);
3029 string_to_ulong (&signature_most_recent,
3030 strlist->next->next->next->d, -1, __LINE__);
3032 free_strlist (strlist);
3036 /* Get the encryption stats. */
3037 rc = gpgsql_exec_printf
3038 (dbs->db, strings_collect_cb, &strlist, &err,
3039 "select count (*), min (encryptions.time), max (encryptions.time)\n"
3040 " from encryptions\n"
3041 " left join bindings on encryptions.binding = bindings.oid\n"
3042 " where fingerprint = %Q and email = %Q;",
3043 fingerprint, email);
3046 log_error (_("error reading TOFU database: %s\n"), err);
3047 print_further_info ("getting encryption statistics");
3049 rc = gpg_error (GPG_ERR_GENERAL);
3052 rc = gpgsql_exec_printf
3053 (dbs->db, strings_collect_cb, &strlist, &err,
3054 "select count (*) from\n"
3055 " (select round(encryptions.time / (24 * 60 * 60)) day\n"
3056 " from encryptions\n"
3057 " left join bindings on encryptions.binding = bindings.oid\n"
3058 " where fingerprint = %Q and email = %Q\n"
3060 fingerprint, email);
3063 log_error (_("error reading TOFU database: %s\n"), err);
3064 print_further_info ("getting encryption statistics (by day)");
3066 rc = gpg_error (GPG_ERR_GENERAL);
3072 /* We expect exactly 4 elements. */
3073 log_assert (strlist->next);
3074 log_assert (strlist->next->next);
3075 log_assert (strlist->next->next->next);
3076 log_assert (! strlist->next->next->next->next);
3078 string_to_ulong (&encryption_days, strlist->d, -1, __LINE__);
3079 string_to_ulong (&encryption_count, strlist->next->d, -1, __LINE__);
3080 string_to_ulong (&encryption_first_done,
3081 strlist->next->next->d, -1, __LINE__);
3082 string_to_ulong (&encryption_most_recent,
3083 strlist->next->next->next->d, -1, __LINE__);
3085 free_strlist (strlist);
3090 write_status_text_and_buffer (STATUS_TOFU_USER, fingerprint,
3091 email, strlen (email), 0);
3093 write_stats_status (outfp, policy,
3095 signature_first_seen,
3096 signature_most_recent,
3099 encryption_first_done,
3100 encryption_most_recent,
3103 if (!outfp && !only_status_fd)
3108 fp = es_fopenmem (0, "rw,samethread");
3110 log_fatal ("error creating memory stream: %s\n",
3111 gpg_strerror (gpg_error_from_syserror()));
3113 if (signature_count == 0 && encryption_count == 0)
3116 _("%s: Verified 0~signatures and encrypted 0~messages."),
3121 if (signature_count == 0)
3122 es_fprintf (fp, _("%s: Verified 0 signatures."), email);
3125 /* TRANSLATORS: The final %s is replaced by a string like
3127 char *ago_str = time_ago_str (now - signature_first_seen);
3130 ngettext("%s: Verified %ld~signature in the past %s.",
3131 "%s: Verified %ld~signatures in the past %s.",
3133 email, signature_count, ago_str);
3139 if (encryption_count == 0)
3140 es_fprintf (fp, _("Encrypted 0 messages."));
3143 char *ago_str = time_ago_str (now - encryption_first_done);
3145 /* TRANSLATORS: The final %s is replaced by a string like
3148 ngettext("Encrypted %ld~message in the past %s.",
3149 "Encrypted %ld~messages in the past %s.",
3151 encryption_count, ago_str);
3159 es_fprintf (fp, _("(policy: %s)"), tofu_policy_str (policy));
3161 es_fputs ("\n", fp);
3167 if (es_fclose_snatch (fp, (void **) &tmpmsg, NULL))
3168 log_fatal ("error snatching memory stream\n");
3169 msg = format_text (tmpmsg, 0, 72, 80);
3172 /* Print a status line but suppress the trailing LF.
3173 * Spaces are not percent escaped. */
3175 write_status_buffer (STATUS_TOFU_STATS_LONG,
3176 msg, strlen (msg)-1, -1);
3178 /* Remove the non-breaking space markers. */
3179 for (p=msg; *p; p++)
3184 log_string (GPGRT_LOG_INFO, msg);
3187 if (policy == TOFU_POLICY_AUTO)
3189 if (signature_count == 0)
3190 log_info (_("Warning: we have yet to see"
3191 " a message signed using this key and user id!\n"));
3192 else if (signature_count == 1)
3193 log_info (_("Warning: we've only seen one message"
3194 " signed using this key and user id!\n"));
3196 if (encryption_count == 0)
3197 log_info (_("Warning: you have yet to encrypt"
3198 " a message to this key!\n"));
3199 else if (encryption_count == 1)
3200 log_info (_("Warning: you have only encrypted"
3201 " one message to this key!\n"));
3203 /* Cf. write_stats_status */
3204 if (sqrtu32 (encryption_count * encryption_count
3205 + signature_count * signature_count)
3206 < 2 * BASIC_TRUST_THRESHOLD)
3212 xfree (fingerprint_pp);
3214 return show_warning;
3218 show_warning (const char *fingerprint, strlist_t user_id_list)
3220 char *set_policy_command;
3224 set_policy_command =
3225 xasprintf ("gpg --tofu-policy bad %s", fingerprint);
3229 ("Warning: if you think you've seen more signatures "
3230 "by this key and user id, then this key might be a "
3231 "forgery! Carefully examine the email address for small "
3232 "variations. If the key is suspect, then use\n"
3234 "to mark it as being bad.\n",
3235 "Warning: if you think you've seen more signatures "
3236 "by this key and these user ids, then this key might be a "
3237 "forgery! Carefully examine the email addresses for small "
3238 "variations. If the key is suspect, then use\n"
3240 "to mark it as being bad.\n",
3241 strlist_length (user_id_list)),
3242 set_policy_command);
3244 text = format_text (tmpmsg, 0, 72, 80);
3246 log_string (GPGRT_LOG_INFO, text);
3249 es_free (set_policy_command);
3253 /* Extract the email address from a user id and normalize it. If the
3254 user id doesn't contain an email address, then we use the whole
3255 user_id and normalize that. The returned string must be freed. */
3257 email_from_user_id (const char *user_id)
3259 char *email = mailbox_from_userid (user_id);
3262 /* Hmm, no email address was provided or we are out of core. Just
3263 take the lower-case version of the whole user id. It could be
3264 a hostname, for instance. */
3265 email = ascii_strlwr (xstrdup (user_id));
3271 /* Register the signature with the bindings <fingerprint, USER_ID>,
3272 for each USER_ID in USER_ID_LIST. The fingerprint is taken from
3273 the primary key packet PK.
3275 SIG_DIGEST_BIN is the binary representation of the message's
3276 digest. SIG_DIGEST_BIN_LEN is its length.
3278 SIG_TIME is the time that the signature was generated.
3280 ORIGIN is a free-formed string describing the origin of the
3281 signature. If this was from an email and the Claws MUA was used,
3282 then this should be something like: "email:claws". If this is
3283 NULL, the default is simply "unknown".
3285 If MAY_ASK is 1, then this function may interact with the user.
3286 This is necessary if there is a conflict or the binding's policy is
3289 This function returns 0 on success and an error code if an error
3292 tofu_register_signature (ctrl_t ctrl,
3293 PKT_public_key *pk, strlist_t user_id_list,
3294 const byte *sig_digest_bin, int sig_digest_bin_len,
3295 time_t sig_time, const char *origin)
3297 time_t now = gnupg_get_time ();
3300 char *fingerprint = NULL;
3307 dbs = opendbs (ctrl);
3310 rc = gpg_error (GPG_ERR_GENERAL);
3311 log_error (_("error opening TOFU database: %s\n"),
3316 /* We do a query and then an insert. Make sure they are atomic
3317 by wrapping them in a transaction. */
3318 rc = begin_transaction (ctrl, 0);
3322 log_assert (pk_is_primary (pk));
3324 sig_digest = make_radix64_string (sig_digest_bin, sig_digest_bin_len);
3325 fingerprint = hexfingerprint (pk, NULL, 0);
3328 /* The default origin is simply "unknown". */
3331 for (user_id = user_id_list; user_id; user_id = user_id->next)
3333 email = email_from_user_id (user_id->d);
3336 log_debug ("TOFU: Registering signature %s with binding"
3337 " <key: %s, user id: %s>\n",
3338 sig_digest, fingerprint, email);
3340 /* Make sure the binding exists and record any TOFU
3342 if (get_trust (ctrl, pk, fingerprint, email, user_id->d,
3344 == _tofu_GET_TRUST_ERROR)
3346 rc = gpg_error (GPG_ERR_GENERAL);
3351 /* If we've already seen this signature before, then don't add
3354 (dbs->db, &dbs->s.register_already_seen,
3355 get_single_unsigned_long_cb2, &c, &err,
3356 "select count (*)\n"
3357 " from signatures left join bindings\n"
3358 " on signatures.binding = bindings.oid\n"
3359 " where fingerprint = ? and email = ? and sig_time = ?\n"
3360 " and sig_digest = ?",
3361 GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
3362 GPGSQL_ARG_LONG_LONG, (long long) sig_time,
3363 GPGSQL_ARG_STRING, sig_digest,
3367 log_error (_("error reading TOFU database: %s\n"), err);
3368 print_further_info ("checking existence");
3370 rc = gpg_error (GPG_ERR_GENERAL);
3373 /* Duplicates! This should not happen. In particular,
3374 because <fingerprint, email, sig_time, sig_digest> is the
3376 log_debug ("SIGNATURES DB contains duplicate records"
3377 " <key: %s, email: %s, time: 0x%lx, sig: %s,"
3379 " Please report.\n",
3380 fingerprint, email, (unsigned long) sig_time,
3381 sig_digest, origin);
3385 log_debug ("Already observed the signature and binding"
3386 " <key: %s, email: %s, time: 0x%lx, sig: %s,"
3388 fingerprint, email, (unsigned long) sig_time,
3389 sig_digest, origin);
3391 else if (opt.dry_run)
3393 log_info ("TOFU database update skipped due to --dry-run\n");
3396 /* This is the first time that we've seen this signature and
3397 binding. Record it. */
3400 log_debug ("TOFU: Saving signature"
3401 " <key: %s, user id: %s, sig: %s>\n",
3402 fingerprint, email, sig_digest);
3404 log_assert (c == 0);
3407 (dbs->db, &dbs->s.register_signature, NULL, NULL, &err,
3408 "insert into signatures\n"
3409 " (binding, sig_digest, origin, sig_time, time)\n"
3411 " ((select oid from bindings\n"
3412 " where fingerprint = ? and email = ?),\n"
3414 GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
3415 GPGSQL_ARG_STRING, sig_digest, GPGSQL_ARG_STRING, origin,
3416 GPGSQL_ARG_LONG_LONG, (long long) sig_time,
3417 GPGSQL_ARG_LONG_LONG, (long long) now,
3421 log_error (_("error updating TOFU database: %s\n"), err);
3422 print_further_info ("insert signatures");
3424 rc = gpg_error (GPG_ERR_GENERAL);
3435 rollback_transaction (ctrl);
3437 rc = end_transaction (ctrl, 0);
3439 xfree (fingerprint);
3446 tofu_register_encryption (ctrl_t ctrl,
3447 PKT_public_key *pk, strlist_t user_id_list,
3450 time_t now = gnupg_get_time ();
3454 int free_user_id_list = 0;
3455 char *fingerprint = NULL;
3459 dbs = opendbs (ctrl);
3462 rc = gpg_error (GPG_ERR_GENERAL);
3463 log_error (_("error opening TOFU database: %s\n"),
3468 if (/* We need the key block to find the primary key. */
3469 ! pk_is_primary (pk)
3470 /* We need the key block to find all user ids. */
3472 kb = get_pubkeyblock (pk->keyid);
3474 /* Make sure PK is a primary key. */
3475 if (! pk_is_primary (pk))
3476 pk = kb->pkt->pkt.public_key;
3480 /* Use all non-revoked user ids. Do use expired user ids. */
3483 while ((n = find_next_kbnode (n, PKT_USER_ID)))
3485 PKT_user_id *uid = n->pkt->pkt.user_id;
3487 if (uid->is_revoked)
3490 add_to_strlist (&user_id_list, uid->name);
3493 free_user_id_list = 1;
3496 log_info (_("WARNING: Encrypting to %s, which has no "
3497 "non-revoked user ids\n"),
3498 keystr (pk->keyid));
3501 fingerprint = hexfingerprint (pk, NULL, 0);
3503 tofu_begin_batch_update (ctrl);
3504 tofu_resume_batch_transaction (ctrl);
3506 for (user_id = user_id_list; user_id; user_id = user_id->next)
3508 char *email = email_from_user_id (user_id->d);
3509 strlist_t conflict_set = NULL;
3510 enum tofu_policy policy;
3512 /* Make sure the binding exists and that we recognize any
3514 int tl = get_trust (ctrl, pk, fingerprint, email, user_id->d,
3515 may_ask, &policy, &conflict_set, now);
3516 if (tl == _tofu_GET_TRUST_ERROR)
3519 rc = gpg_error (GPG_ERR_GENERAL);
3525 /* If there is a conflict and MAY_ASK is true, we need to show
3526 * the TOFU statistics for the current binding and the
3527 * conflicting bindings. But, if we are not in batch mode, then
3528 * they have already been printed (this is required to make sure
3529 * the information is available to the caller before cpr_get is
3531 if (policy == TOFU_POLICY_ASK && may_ask && opt.batch)
3535 /* The conflict set should contain at least the current
3537 log_assert (conflict_set);
3539 for (iter = conflict_set; iter; iter = iter->next)
3540 show_statistics (dbs, iter->d, email,
3541 TOFU_POLICY_ASK, NULL, 1, now);
3544 free_strlist (conflict_set);
3547 (dbs->db, &dbs->s.register_encryption, NULL, NULL, &err,
3548 "insert into encryptions\n"
3549 " (binding, time)\n"
3551 " ((select oid from bindings\n"
3552 " where fingerprint = ? and email = ?),\n"
3554 GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email,
3555 GPGSQL_ARG_LONG_LONG, (long long) now,
3559 log_error (_("error updating TOFU database: %s\n"), err);
3560 print_further_info ("insert encryption");
3562 rc = gpg_error (GPG_ERR_GENERAL);
3569 tofu_end_batch_update (ctrl);
3572 release_kbnode (kb);
3574 if (free_user_id_list)
3575 free_strlist (user_id_list);
3577 xfree (fingerprint);
3583 /* Combine a trust level returned from the TOFU trust model with a
3584 trust level returned by the PGP trust model. This is primarily of
3585 interest when the trust model is tofu+pgp (TM_TOFU_PGP).
3587 This function ors together the upper bits (the values not covered
3588 by TRUST_MASK, i.e., TRUST_FLAG_REVOKED, etc.). */
3590 tofu_wot_trust_combine (int tofu_base, int wot_base)
3592 int tofu = tofu_base & TRUST_MASK;
3593 int wot = wot_base & TRUST_MASK;
3594 int upper = (tofu_base & ~TRUST_MASK) | (wot_base & ~TRUST_MASK);
3596 log_assert (tofu == TRUST_UNKNOWN
3597 || tofu == TRUST_EXPIRED
3598 || tofu == TRUST_UNDEFINED
3599 || tofu == TRUST_NEVER
3600 || tofu == TRUST_MARGINAL
3601 || tofu == TRUST_FULLY
3602 || tofu == TRUST_ULTIMATE);
3603 log_assert (wot == TRUST_UNKNOWN
3604 || wot == TRUST_EXPIRED
3605 || wot == TRUST_UNDEFINED
3606 || wot == TRUST_NEVER
3607 || wot == TRUST_MARGINAL
3608 || wot == TRUST_FULLY
3609 || wot == TRUST_ULTIMATE);
3611 /* We first consider negative trust policys. These trump positive
3613 if (tofu == TRUST_NEVER || wot == TRUST_NEVER)
3614 /* TRUST_NEVER trumps everything else. */
3615 return upper | TRUST_NEVER;
3616 if (tofu == TRUST_EXPIRED || wot == TRUST_EXPIRED)
3617 /* TRUST_EXPIRED trumps everything but TRUST_NEVER. */
3618 return upper | TRUST_EXPIRED;
3620 /* Now we only have positive or neutral trust policies. We take
3622 if (tofu == TRUST_ULTIMATE)
3623 return upper | TRUST_ULTIMATE | TRUST_FLAG_TOFU_BASED;
3624 if (wot == TRUST_ULTIMATE)
3625 return upper | TRUST_ULTIMATE;
3627 if (tofu == TRUST_FULLY)
3628 return upper | TRUST_FULLY | TRUST_FLAG_TOFU_BASED;
3629 if (wot == TRUST_FULLY)
3630 return upper | TRUST_FULLY;
3632 if (tofu == TRUST_MARGINAL)
3633 return upper | TRUST_MARGINAL | TRUST_FLAG_TOFU_BASED;
3634 if (wot == TRUST_MARGINAL)
3635 return upper | TRUST_MARGINAL;
3637 if (tofu == TRUST_UNDEFINED)
3638 return upper | TRUST_UNDEFINED | TRUST_FLAG_TOFU_BASED;
3639 if (wot == TRUST_UNDEFINED)
3640 return upper | TRUST_UNDEFINED;
3642 return upper | TRUST_UNKNOWN;
3646 /* Write a "tfs" record for a --with-colons listing. */
3648 tofu_write_tfs_record (ctrl_t ctrl, estream_t fp,
3649 PKT_public_key *pk, const char *user_id)
3651 time_t now = gnupg_get_time ();
3656 enum tofu_policy policy;
3659 return 0; /* No TOFU stats possible for an empty ID. */
3661 dbs = opendbs (ctrl);
3664 err = gpg_error (GPG_ERR_GENERAL);
3665 log_error (_("error opening TOFU database: %s\n"), gpg_strerror (err));
3669 fingerprint = hexfingerprint (pk, NULL, 0);
3670 email = email_from_user_id (user_id);
3671 policy = get_policy (dbs, pk, fingerprint, user_id, email, NULL, now);
3673 show_statistics (dbs, fingerprint, email, policy, fp, 0, now);
3676 xfree (fingerprint);
3681 /* Return the validity (TRUST_NEVER, etc.) of the bindings
3682 <FINGERPRINT, USER_ID>, for each USER_ID in USER_ID_LIST. If
3683 USER_ID_LIST->FLAG is set, then the id is considered to be expired.
3685 PK is the primary key packet.
3687 If MAY_ASK is 1 and the policy is TOFU_POLICY_ASK, then the user
3688 will be prompted to choose a policy. If MAY_ASK is 0 and the
3689 policy is TOFU_POLICY_ASK, then TRUST_UNKNOWN is returned.
3691 Returns TRUST_UNDEFINED if an error occurs. */
3693 tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list,
3696 time_t now = gnupg_get_time ();
3698 char *fingerprint = NULL;
3700 int trust_level = TRUST_UNKNOWN;
3702 int bindings_valid = 0;
3703 int need_warning = 0;
3704 int had_conflict = 0;
3706 dbs = opendbs (ctrl);
3709 log_error (_("error opening TOFU database: %s\n"),
3710 gpg_strerror (GPG_ERR_GENERAL));
3711 return TRUST_UNDEFINED;
3714 fingerprint = hexfingerprint (pk, NULL, 0);
3716 tofu_begin_batch_update (ctrl);
3717 /* Start the batch transaction now. */
3718 tofu_resume_batch_transaction (ctrl);
3720 for (user_id = user_id_list; user_id; user_id = user_id->next, bindings ++)
3722 char *email = email_from_user_id (user_id->d);
3723 strlist_t conflict_set = NULL;
3724 enum tofu_policy policy;
3726 /* Always call get_trust to make sure the binding is
3728 int tl = get_trust (ctrl, pk, fingerprint, email, user_id->d,
3729 may_ask, &policy, &conflict_set, now);
3730 if (tl == _tofu_GET_TRUST_ERROR)
3733 trust_level = TRUST_UNDEFINED;
3739 log_debug ("TOFU: validity for <key: %s, user id: %s>: %s%s.\n",
3741 trust_value_to_string (tl),
3742 user_id->flags ? " (but expired)" : "");
3747 if (tl != TRUST_EXPIRED)
3750 if (may_ask && tl != TRUST_ULTIMATE && tl != TRUST_EXPIRED)
3752 /* If policy is ask, then we already printed out the
3753 * conflict information in ask_about_binding or will do so
3755 if (policy != TOFU_POLICY_ASK)
3757 show_statistics (dbs, fingerprint, email, policy, NULL, 0, now);
3759 /* If there is a conflict and MAY_ASK is true, we need to
3760 * show the TOFU statistics for the current binding and the
3761 * conflicting bindings. But, if we are not in batch mode,
3762 * then they have already been printed (this is required to
3763 * make sure the information is available to the caller
3764 * before cpr_get is called). */
3765 if (policy == TOFU_POLICY_ASK && opt.batch)
3769 /* The conflict set should contain at least the current
3771 log_assert (conflict_set);
3774 for (iter = conflict_set; iter; iter = iter->next)
3775 show_statistics (dbs, iter->d, email,
3776 TOFU_POLICY_ASK, NULL, 1, now);
3780 free_strlist (conflict_set);
3782 if (tl == TRUST_NEVER)
3783 trust_level = TRUST_NEVER;
3784 else if (tl == TRUST_EXPIRED)
3785 /* Ignore expired bindings in the trust calculation. */
3787 else if (tl > trust_level)
3789 /* The expected values: */
3790 log_assert (tl == TRUST_UNKNOWN || tl == TRUST_UNDEFINED
3791 || tl == TRUST_MARGINAL || tl == TRUST_FULLY
3792 || tl == TRUST_ULTIMATE);
3794 /* We assume the following ordering: */
3795 log_assert (TRUST_UNKNOWN < TRUST_UNDEFINED);
3796 log_assert (TRUST_UNDEFINED < TRUST_MARGINAL);
3797 log_assert (TRUST_MARGINAL < TRUST_FULLY);
3798 log_assert (TRUST_FULLY < TRUST_ULTIMATE);
3806 if (need_warning && ! had_conflict)
3807 show_warning (fingerprint, user_id_list);
3810 tofu_end_batch_update (ctrl);
3812 xfree (fingerprint);
3814 if (bindings_valid == 0)
3817 log_debug ("no (of %d) valid bindings."
3818 " Can't get TOFU validity for this set of user ids.\n",
3826 /* Set the policy for all non-revoked user ids in the keyblock KB to
3829 If no key is available with the specified key id, then this
3830 function returns GPG_ERR_NO_PUBKEY.
3832 Returns 0 on success and an error code otherwise. */
3834 tofu_set_policy (ctrl_t ctrl, kbnode_t kb, enum tofu_policy policy)
3837 time_t now = gnupg_get_time ();
3840 char *fingerprint = NULL;
3842 log_assert (kb->pkt->pkttype == PKT_PUBLIC_KEY);
3843 pk = kb->pkt->pkt.public_key;
3845 dbs = opendbs (ctrl);
3848 log_error (_("error opening TOFU database: %s\n"),
3849 gpg_strerror (GPG_ERR_GENERAL));
3850 return gpg_error (GPG_ERR_GENERAL);
3854 log_debug ("Setting TOFU policy for %s to %s\n",
3855 keystr (pk->keyid), tofu_policy_str (policy));
3856 if (! pk_is_primary (pk))
3857 log_bug ("%s: Passed a subkey, but expecting a primary key.\n", __func__);
3859 fingerprint = hexfingerprint (pk, NULL, 0);
3861 begin_transaction (ctrl, 0);
3863 for (; kb; kb = kb->next)
3865 PKT_user_id *user_id;
3868 if (kb->pkt->pkttype != PKT_USER_ID)
3871 user_id = kb->pkt->pkt.user_id;
3872 if (user_id->is_revoked)
3873 /* Skip revoked user ids. (Don't skip expired user ids, the
3874 expiry can be changed.) */
3877 email = email_from_user_id (user_id->name);
3879 err = record_binding (dbs, fingerprint, email, user_id->name,
3880 policy, TOFU_POLICY_NONE, NULL, 0, 1, now);
3883 log_error (_("error setting policy for key %s, user id \"%s\": %s"),
3884 fingerprint, email, gpg_strerror (err));
3893 rollback_transaction (ctrl);
3895 end_transaction (ctrl, 0);
3897 xfree (fingerprint);
3901 /* Return the TOFU policy for the specified binding in *POLICY. If no
3902 policy has been set for the binding, sets *POLICY to
3905 PK is a primary public key and USER_ID is a user id.
3907 Returns 0 on success and an error code otherwise. */
3909 tofu_get_policy (ctrl_t ctrl, PKT_public_key *pk, PKT_user_id *user_id,
3910 enum tofu_policy *policy)
3912 time_t now = gnupg_get_time ();
3917 /* Make sure PK is a primary key. */
3918 log_assert (pk_is_primary (pk));
3920 dbs = opendbs (ctrl);
3923 log_error (_("error opening TOFU database: %s\n"),
3924 gpg_strerror (GPG_ERR_GENERAL));
3925 return gpg_error (GPG_ERR_GENERAL);
3928 fingerprint = hexfingerprint (pk, NULL, 0);
3930 email = email_from_user_id (user_id->name);
3932 *policy = get_policy (dbs, pk, fingerprint, user_id->name, email, NULL, now);
3935 xfree (fingerprint);
3936 if (*policy == _tofu_GET_POLICY_ERROR)
3937 return gpg_error (GPG_ERR_GENERAL);
3942 tofu_notice_key_changed (ctrl_t ctrl, kbnode_t kb)
3947 char *sqlerr = NULL;
3950 /* Make sure PK is a primary key. */
3951 setup_main_keyids (kb);
3952 pk = kb->pkt->pkt.public_key;
3953 log_assert (pk_is_primary (pk));
3955 dbs = opendbs (ctrl);
3958 log_error (_("error opening TOFU database: %s\n"),
3959 gpg_strerror (GPG_ERR_GENERAL));
3960 return gpg_error (GPG_ERR_GENERAL);
3963 fingerprint = hexfingerprint (pk, NULL, 0);
3965 rc = gpgsql_stepx (dbs->db, NULL, NULL, NULL, &sqlerr,
3966 "update bindings set effective_policy = ?"
3967 " where fingerprint = ?;",
3968 GPGSQL_ARG_INT, (int) TOFU_POLICY_NONE,
3969 GPGSQL_ARG_STRING, fingerprint,
3971 xfree (fingerprint);
3973 if (rc == _tofu_GET_POLICY_ERROR)
3974 return gpg_error (GPG_ERR_GENERAL);