search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Move password repetition from gpg to gpg-agent.
[gnupg.git] / agent / trustlist.c
blob027dec03eb79440e5fbfd9c71b369082e46a379e
1 /* trustlist.c - Maintain the list of trusted keys
2 * Copyright (C) 2002, 2004, 2006, 2007 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuPG.
5 *
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include <config.h>
21 #include <errno.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <ctype.h>
26 #include <assert.h>
27 #include <unistd.h>
28 #include <sys/stat.h>
29 #include <pth.h>
30
31 #include "agent.h"
32 #include <assuan.h> /* fixme: need a way to avoid assuan calls here */
33 #include "i18n.h"
34
35
36 /* A structure to store the information from the trust file. */
37 struct trustitem_s
38 {
39 struct
40 {
41 int for_pgp:1; /* Set by '*' or 'P' as first flag. */
42 int for_smime:1; /* Set by '*' or 'S' as first flag. */
43 int relax:1; /* Relax checking of root certificate
44 constraints. */
45 int cm:1; /* Use chain model for validation. */
46 } flags;
47 unsigned char fpr[20]; /* The binary fingerprint. */
48 };
49 typedef struct trustitem_s trustitem_t;
50
51 /* Malloced table and its allocated size with all trust items. */
52 static trustitem_t *trusttable;
53 static size_t trusttablesize;
54 /* A mutex used to protect the table. */
55 static pth_mutex_t trusttable_lock;
56
57
58
59 static const char headerblurb[] =
60 "# This is the list of trusted keys. Comment lines, like this one, as\n"
61 "# well as empty lines are ignored. Lines have a length limit but this\n"
62 "# is not serious limitation as the format of the entries is fixed and\n"
63 "# checked by gpg-agent. A non-comment line starts with optional white\n"
64 "# space, followed by the SHA-1 fingerpint in hex, optionally followed\n"
65 "# by a flag character which my either be 'P', 'S' or '*'. You should\n"
66 "# give the gpg-agent a HUP after editing this file.\n"
67 "\n\n"
68 "# Include the default trust list\n"
69 "include-default\n"
70 "\n";
71
72
73 /* This function must be called once to initialize this module. This
74 has to be done before a second thread is spawned. We can't do the
75 static initialization because Pth emulation code might not be able
76 to do a static init; in particular, it is not possible for W32. */
77 void
78 initialize_module_trustlist (void)
79 {
80 static int initialized;
81
82 if (!initialized)
83 {
84 if (!pth_mutex_init (&trusttable_lock))
85 log_fatal ("error initializing mutex: %s\n", strerror (errno));
86 initialized = 1;
87 }
88 }
89
90
91
92 \f
93 static void
94 lock_trusttable (void)
95 {
96 if (!pth_mutex_acquire (&trusttable_lock, 0, NULL))
97 log_fatal ("failed to acquire mutex in %s\n", __FILE__);
98 }
99
100 static void
101 unlock_trusttable (void)
102 {
103 if (!pth_mutex_release (&trusttable_lock))
104 log_fatal ("failed to release mutex in %s\n", __FILE__);
105 }
106
107
108
109 static gpg_error_t
110 read_one_trustfile (const char *fname, int allow_include,
111 trustitem_t **addr_of_table,
112 size_t *addr_of_tablesize,
113 int *addr_of_tableidx)
114 {
115 gpg_error_t err = 0;
116 FILE *fp;
117 int n, c;
118 char *p, line[256];
119 trustitem_t *table, *ti;
120 int tableidx;
121 size_t tablesize;
122 int lnr = 0;
123
124 table = *addr_of_table;
125 tablesize = *addr_of_tablesize;
126 tableidx = *addr_of_tableidx;
127
128 fp = fopen (fname, "r");
129 if (!fp)
130 {
131 err = gpg_error_from_syserror ();
132 log_error (_("error opening `%s': %s\n"), fname, gpg_strerror (err));
133 goto leave;
134 }
135
136 while (fgets (line, DIM(line)-1, fp))
137 {
138 lnr++;
139
140 if (!*line || line[strlen(line)-1] != '\n')
141 {
142 /* Eat until end of line. */
143 while ( (c=getc (fp)) != EOF && c != '\n')
144 ;
145 err = gpg_error (*line? GPG_ERR_LINE_TOO_LONG
146 : GPG_ERR_INCOMPLETE_LINE);
147 log_error (_("file `%s', line %d: %s\n"),
148 fname, lnr, gpg_strerror (err));
149 continue;
150 }
151 line[strlen(line)-1] = 0; /* Chop the LF. */
152
153 /* Allow for empty lines and spaces */
154 for (p=line; spacep (p); p++)
155 ;
156 if (!*p || *p == '#')
157 continue;
158
159 if (!strncmp (p, "include-default", 15)
160 && (!p[15] || spacep (p+15)))
161 {
162 char *etcname;
163 gpg_error_t err2;
164
165 if (!allow_include)
166 {
167 log_error (_("statement \"%s\" ignored in `%s', line %d\n"),
168 "include-default", fname, lnr);
169 continue;
170 }
171 /* fixme: Should check for trailing garbage. */
172
173 etcname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
174 if ( !strcmp (etcname, fname) ) /* Same file. */
175 log_info (_("statement \"%s\" ignored in `%s', line %d\n"),
176 "include-default", fname, lnr);
177 else if ( access (etcname, F_OK) && errno == ENOENT )
178 {
179 /* A non existent system trustlist is not an error.
180 Just print a note. */
181 log_info (_("system trustlist `%s' not available\n"), etcname);
182 }
183 else
184 {
185 err2 = read_one_trustfile (etcname, 0,
186 &table, &tablesize, &tableidx);
187 if (err2)
188 err = err2;
189 }
190 xfree (etcname);
191
192 continue;
193 }
194
195 if (tableidx == tablesize) /* Need more space. */
196 {
197 trustitem_t *tmp;
198 size_t tmplen;
199
200 tmplen = tablesize + 20;
201 tmp = xtryrealloc (table, tmplen * sizeof *table);
202 if (!tmp)
203 {
204 err = gpg_error_from_syserror ();
205 goto leave;
206 }
207 table = tmp;
208 tablesize = tmplen;
209 }
210
211 ti = table + tableidx;
212
213 n = hexcolon2bin (p, ti->fpr, 20);
214 if (n < 0)
215 {
216 log_error (_("bad fingerprint in `%s', line %d\n"), fname, lnr);
217 err = gpg_error (GPG_ERR_BAD_DATA);
218 continue;
219 }
220 p += n;
221 for (; spacep (p); p++)
222 ;
223
224 memset (&ti->flags, 0, sizeof ti->flags);
225 /* Process the first flag which needs to be the first for
226 backward compatibility. */
227 if (!*p || *p == '*' )
228 {
229 ti->flags.for_smime = 1;
230 ti->flags.for_pgp = 1;
231 }
232 else if ( *p == 'P' || *p == 'p')
233 {
234 ti->flags.for_pgp = 1;
235 }
236 else if ( *p == 'S' || *p == 's')
237 {
238 ti->flags.for_smime = 1;
239 }
240 else
241 {
242 log_error (_("invalid keyflag in `%s', line %d\n"), fname, lnr);
243 err = gpg_error (GPG_ERR_BAD_DATA);
244 continue;
245 }
246 p++;
247 if ( *p && !spacep (p) )
248 {
249 log_error (_("invalid keyflag in `%s', line %d\n"), fname, lnr);
250 err = gpg_error (GPG_ERR_BAD_DATA);
251 continue;
252 }
253
254 /* Now check for more key-value pairs of the form NAME[=VALUE]. */
255 while (*p)
256 {
257 for (; spacep (p); p++)
258 ;
259 if (!*p)
260 break;
261 n = strcspn (p, "= \t");
262 if (p[n] == '=')
263 {
264 log_error ("assigning a value to a flag is not yet supported; "
265 "in `%s', line %d\n", fname, lnr);
266 err = gpg_error (GPG_ERR_BAD_DATA);
267 p++;
268 }
269 else if (n == 5 && !memcmp (p, "relax", 5))
270 ti->flags.relax = 1;
271 else if (n == 2 && !memcmp (p, "cm", 2))
272 ti->flags.cm = 1;
273 else
274 log_error ("flag `%.*s' in `%s', line %d ignored\n",
275 n, p, fname, lnr);
276 p += n;
277 }
278 tableidx++;
279 }
280 if ( !err && !feof (fp) )
281 {
282 err = gpg_error_from_syserror ();
283 log_error (_("error reading `%s', line %d: %s\n"),
284 fname, lnr, gpg_strerror (err));
285 }
286
287 leave:
288 if (fp)
289 fclose (fp);
290 *addr_of_table = table;
291 *addr_of_tablesize = tablesize;
292 *addr_of_tableidx = tableidx;
293 return err;
294 }
295
296
297 /* Read the trust files and update the global table on success. */
298 static gpg_error_t
299 read_trustfiles (void)
300 {
301 gpg_error_t err;
302 trustitem_t *table, *ti;
303 int tableidx;
304 size_t tablesize;
305 char *fname;
306 int allow_include = 1;
307
308 tablesize = 20;
309 table = xtrycalloc (tablesize, sizeof *table);
310 if (!table)
311 return gpg_error_from_syserror ();
312 tableidx = 0;
313
314 fname = make_filename (opt.homedir, "trustlist.txt", NULL);
315 if ( access (fname, F_OK) )
316 {
317 if ( errno == ENOENT )
318 ; /* Silently ignore a non-existing trustfile. */
319 else
320 {
321 err = gpg_error_from_syserror ();
322 log_error (_("error opening `%s': %s\n"), fname, gpg_strerror (err));
323 }
324 xfree (fname);
325 fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
326 allow_include = 0;
327 }
328 err = read_one_trustfile (fname, allow_include,
329 &table, &tablesize, &tableidx);
330 xfree (fname);
331
332 if (err)
333 {
334 xfree (table);
335 if (gpg_err_code (err) == GPG_ERR_ENOENT)
336 {
337 /* Take a missing trustlist as an empty one. */
338 lock_trusttable ();
339 xfree (trusttable);
340 trusttable = NULL;
341 trusttablesize = 0;
342 unlock_trusttable ();
343 err = 0;
344 }
345 return err;
346 }
347
348 /* Fixme: we should drop duplicates and sort the table. */
349 ti = xtryrealloc (table, (tableidx?tableidx:1) * sizeof *table);
350 if (!ti)
351 {
352 xfree (table);
353 return err;
354 }
355
356 lock_trusttable ();
357 xfree (trusttable);
358 trusttable = table;
359 trusttablesize = tableidx;
360 unlock_trusttable ();
361 return 0;
362 }
363
364
365
366 /* Check whether the given fpr is in our trustdb. We expect FPR to be
367 an all uppercase hexstring of 40 characters. */
368 gpg_error_t
369 agent_istrusted (ctrl_t ctrl, const char *fpr)
370 {
371 gpg_error_t err;
372 trustitem_t *ti;
373 size_t len;
374 unsigned char fprbin[20];
375
376 if ( hexcolon2bin (fpr, fprbin, 20) < 0 )
377 return gpg_error (GPG_ERR_INV_VALUE);
378
379 if (!trusttable)
380 {
381 err = read_trustfiles ();
382 if (err)
383 {
384 log_error (_("error reading list of trusted root certificates\n"));
385 return err;
386 }
387 }
388
389 if (trusttable)
390 {
391 for (ti=trusttable, len = trusttablesize; len; ti++, len--)
392 if (!memcmp (ti->fpr, fprbin, 20))
393 {
394 if (ti->flags.relax)
395 {
396 err = agent_write_status (ctrl,
397 "TRUSTLISTFLAG", "relax",
398 NULL);
399 if (err)
400 return err;
401 }
402 else if (ti->flags.cm)
403 {
404 err = agent_write_status (ctrl,
405 "TRUSTLISTFLAG", "cm",
406 NULL);
407 if (err)
408 return err;
409 }
410 return 0; /* Trusted. */
411 }
412 }
413 return gpg_error (GPG_ERR_NOT_TRUSTED);
414 }
415
416
417 /* Write all trust entries to FP. */
418 gpg_error_t
419 agent_listtrusted (void *assuan_context)
420 {
421 trustitem_t *ti;
422 char key[51];
423 gpg_error_t err;
424 size_t len;
425
426 if (!trusttable)
427 {
428 err = read_trustfiles ();
429 if (err)
430 {
431 log_error (_("error reading list of trusted root certificates\n"));
432 return err;
433 }
434 }
435
436 if (trusttable)
437 {
438 /* We need to lock the table because the scheduler may interrupt
439 assuan_send_data and an other thread may then re-read the table. */
440 lock_trusttable ();
441 for (ti=trusttable, len = trusttablesize; len; ti++, len--)
442 {
443 bin2hex (ti->fpr, 20, key);
444 key[40] = ' ';
445 key[41] = ((ti->flags.for_smime && ti->flags.for_pgp)? '*'
446 : ti->flags.for_smime? 'S': ti->flags.for_pgp? 'P':' ');
447 key[42] = '\n';
448 assuan_send_data (assuan_context, key, 43);
449 assuan_send_data (assuan_context, NULL, 0); /* flush */
450 }
451 unlock_trusttable ();
452 }
453
454 return 0;
455 }
456
457
458 /* Create a copy of string with colons inserted after each two bytes.
459 Caller needs to release the string. In case of a memory failure,
460 NULL is returned. */
461 static char *
462 insert_colons (const char *string)
463 {
464 char *buffer, *p;
465 size_t n = strlen (string);
466 size_t nnew = n + (n+1)/2;
467
468 p = buffer = xtrymalloc ( nnew + 1 );
469 if (!buffer)
470 return NULL;
471 while (*string)
472 {
473 *p++ = *string++;
474 if (*string)
475 {
476 *p++ = *string++;
477 if (*string)
478 *p++ = ':';
479 }
480 }
481 *p = 0;
482 assert (strlen (buffer) <= nnew);
483
484 return buffer;
485 }
486
487
488 /* Insert the given fpr into our trustdb. We expect FPR to be an all
489 uppercase hexstring of 40 characters. FLAG is either 'P' or 'C'.
490 This function does first check whether that key has already been put
491 into the trustdb and returns success in this case. Before a FPR
492 actually gets inserted, the user is asked by means of the Pinentry
493 whether this is actual wants he want to do. */
494 gpg_error_t
495 agent_marktrusted (ctrl_t ctrl, const char *name, const char *fpr, int flag)
496 {
497 gpg_error_t err = 0;
498 char *desc;
499 char *fname;
500 FILE *fp;
501 char *fprformatted;
502
503
504 /* Check whether we are at all allowed to modify the trustlist.
505 This is useful so that the trustlist may be a symlink to a global
506 trustlist with only admin priviliges to modify it. Of course
507 this is not a secure way of denying access, but it avoids the
508 usual clicking on an Okay button most users are used to. */
509 fname = make_filename (opt.homedir, "trustlist.txt", NULL);
510 if ( access (fname, W_OK) && errno != ENOENT)
511 {
512 xfree (fname);
513 return gpg_error (GPG_ERR_EPERM);
514 }
515 xfree (fname);
516
517 if (!agent_istrusted (ctrl, fpr))
518 {
519 return 0; /* We already got this fingerprint. Silently return
520 success. */
521 }
522
523 /* This feature must explicitly been enabled. */
524 if (!opt.allow_mark_trusted)
525 return gpg_error (GPG_ERR_NOT_SUPPORTED);
526
527 /* Insert a new one. */
528 fprformatted = insert_colons (fpr);
529 if (!fprformatted)
530 return out_of_core ();
531 desc = xtryasprintf (
532 /* TRANSLATORS: This prompt is shown by the Pinentry
533 and has one special property: A "%%0A" is used by
534 Pinentry to insert a line break. The double
535 percent sign is actually needed because it is also
536 a printf format string. If you need to insert a
537 plain % sign, you need to encode it as "%%25". The
538 second "%s" gets replaced by a hexdecimal
539 fingerprint string whereas the first one receives
540 the name as stored in the certificate. */
541 _("Please verify that the certificate identified as:%%0A"
542 " \"%s\"%%0A"
543 "has the fingerprint:%%0A"
544 " %s"), name, fprformatted);
545 if (!desc)
546 {
547 xfree (fprformatted);
548 return out_of_core ();
549 }
550
551 /* TRANSLATORS: "Correct" is the label of a button and intended to
552 be hit if the fingerprint matches the one of the CA. The other
553 button is "the default "Cancel" of the Pinentry. */
554 err = agent_get_confirmation (ctrl, desc, _("Correct"), NULL);
555 xfree (desc);
556 /* If the user did not confirmed this, we return cancel here so that
557 gpgsm may stop asking further questions. We won't do this for
558 the second question of course. */
559 if (err)
560 {
561 xfree (fprformatted);
562 return (gpg_err_code (err) == GPG_ERR_NOT_CONFIRMED ?
563 gpg_err_make (gpg_err_source (err), GPG_ERR_CANCELED) : err);
564 }
565
566
567
568 desc = xtryasprintf (
569 /* TRANSLATORS: This prompt is shown by the Pinentry
570 and has one special property: A "%%0A" is used by
571 Pinentry to insert a line break. The double
572 percent sign is actually needed because it is also
573 a printf format string. If you need to insert a
574 plain % sign, you need to encode it as "%%25". The
575 "%s" gets replaced by the name as store in the
576 certificate. */
577 _("Do you ultimately trust%%0A"
578 " \"%s\"%%0A"
579 "to correctly certify user certificates?"),
580 name);
581 if (!desc)
582 {
583 xfree (fprformatted);
584 return out_of_core ();
585 }
586
587 err = agent_get_confirmation (ctrl, desc, _("Yes"), _("No"));
588 xfree (desc);
589 if (err)
590 {
591 xfree (fprformatted);
592 return err;
593 }
594
595 /* Now check again to avoid duplicates. We take the lock to make
596 sure that nobody else plays with our file. Frankly we don't work
597 with the trusttable but using this lock is just fine for our
598 purpose. */
599 lock_trusttable ();
600 if (!agent_istrusted (ctrl, fpr))
601 {
602 unlock_trusttable ();
603 xfree (fprformatted);
604 return 0;
605 }
606
607
608 fname = make_filename (opt.homedir, "trustlist.txt", NULL);
609 if ( access (fname, F_OK) && errno == ENOENT)
610 {
611 fp = fopen (fname, "wx"); /* Warning: "x" is a GNU extension. */
612 if (!fp)
613 {
614 err = gpg_error_from_syserror ();
615 log_error ("can't create `%s': %s\n", fname, gpg_strerror (err));
616 xfree (fname);
617 unlock_trusttable ();
618 xfree (fprformatted);
619 return err;
620 }
621 fputs (headerblurb, fp);
622 fclose (fp);
623 }
624 fp = fopen (fname, "a+");
625 if (!fp)
626 {
627 err = gpg_error_from_syserror ();
628 log_error ("can't open `%s': %s\n", fname, gpg_strerror (err));
629 xfree (fname);
630 unlock_trusttable ();
631 xfree (fprformatted);
632 return err;
633 }
634
635 /* Append the key. */
636 fputs ("\n# ", fp);
637 print_sanitized_string (fp, name, 0);
638 fprintf (fp, "\n%s %c\n", fprformatted, flag);
639 if (ferror (fp))
640 err = gpg_error_from_syserror ();
641
642 if (fclose (fp))
643 err = gpg_error_from_syserror ();
644
645 if (!err)
646 agent_reload_trustlist ();
647 xfree (fname);
648 unlock_trusttable ();
649 xfree (fprformatted);
650 return err;
651 }
652
653
654 /* This function may be called to force reloading of the
655 trustlist. */
656 void
657 agent_reload_trustlist (void)
658 {
659 /* All we need to do is to delete the trusttable. At the next
660 access it will get re-read. */
661 lock_trusttable ();
662 xfree (trusttable);
663 trusttable = NULL;
664 trusttablesize = 0;
665 unlock_trusttable ();
666 bump_key_eventcounter ();
667 }
gnupg svn clone