1 /* trustlist.c - Maintain the list of trusted keys
2 * Copyright (C) 2002, 2004, 2006, 2007, 2009 Free Software Foundation, Inc.
4 * This file is part of GnuPG.
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
32 #include <assuan.h> /* fixme: need a way to avoid assuan calls here */
37 /* A structure to store the information from the trust file. */
42 int disabled:1; /* This entry is disabled. */
43 int for_pgp:1; /* Set by '*' or 'P' as first flag. */
44 int for_smime:1; /* Set by '*' or 'S' as first flag. */
45 int relax:1; /* Relax checking of root certificate
47 int cm:1; /* Use chain model for validation. */
49 unsigned char fpr[20]; /* The binary fingerprint. */
51 typedef struct trustitem_s trustitem_t;
53 /* Malloced table and its allocated size with all trust items. */
54 static trustitem_t *trusttable;
55 static size_t trusttablesize;
56 /* A mutex used to protect the table. */
57 static pth_mutex_t trusttable_lock;
61 static const char headerblurb[] =
62 "# This is the list of trusted keys. Comment lines, like this one, as\n"
63 "# well as empty lines are ignored. Lines have a length limit but this\n"
64 "# is not a serious limitation as the format of the entries is fixed and\n"
65 "# checked by gpg-agent. A non-comment line starts with optional white\n"
66 "# space, followed by the SHA-1 fingerpint in hex, followed by a flag\n"
67 "# which may be one of 'P', 'S' or '*' and optionally followed by a list of\n"
68 "# other flags. The fingerprint may be prefixed with a '!' to mark the\n"
69 "# key as not trusted. You should give the gpg-agent a HUP or run the\n"
70 "# command \"gpgconf --reload gpg-agent\" after changing this file.\n"
72 "# Include the default trust list\n"
77 /* This function must be called once to initialize this module. This
78 has to be done before a second thread is spawned. We can't do the
79 static initialization because Pth emulation code might not be able
80 to do a static init; in particular, it is not possible for W32. */
82 initialize_module_trustlist (void)
84 static int initialized;
88 if (!pth_mutex_init (&trusttable_lock))
89 log_fatal ("error initializing mutex: %s\n", strerror (errno));
98 lock_trusttable (void)
100 if (!pth_mutex_acquire (&trusttable_lock, 0, NULL))
101 log_fatal ("failed to acquire mutex in %s\n", __FILE__);
105 unlock_trusttable (void)
107 if (!pth_mutex_release (&trusttable_lock))
108 log_fatal ("failed to release mutex in %s\n", __FILE__);
114 read_one_trustfile (const char *fname, int allow_include,
115 trustitem_t **addr_of_table,
116 size_t *addr_of_tablesize,
117 int *addr_of_tableidx)
123 trustitem_t *table, *ti;
128 table = *addr_of_table;
129 tablesize = *addr_of_tablesize;
130 tableidx = *addr_of_tableidx;
132 fp = fopen (fname, "r");
135 err = gpg_error_from_syserror ();
136 log_error (_("error opening `%s': %s\n"), fname, gpg_strerror (err));
140 while (fgets (line, DIM(line)-1, fp))
144 if (!*line || line[strlen(line)-1] != '\n')
146 /* Eat until end of line. */
147 while ( (c=getc (fp)) != EOF && c != '\n')
149 err = gpg_error (*line? GPG_ERR_LINE_TOO_LONG
150 : GPG_ERR_INCOMPLETE_LINE);
151 log_error (_("file `%s', line %d: %s\n"),
152 fname, lnr, gpg_strerror (err));
155 line[strlen(line)-1] = 0; /* Chop the LF. */
157 /* Allow for empty lines and spaces */
158 for (p=line; spacep (p); p++)
160 if (!*p || *p == '#')
163 if (!strncmp (p, "include-default", 15)
164 && (!p[15] || spacep (p+15)))
171 log_error (_("statement \"%s\" ignored in `%s', line %d\n"),
172 "include-default", fname, lnr);
175 /* fixme: Should check for trailing garbage. */
177 etcname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
178 if ( !strcmp (etcname, fname) ) /* Same file. */
179 log_info (_("statement \"%s\" ignored in `%s', line %d\n"),
180 "include-default", fname, lnr);
181 else if ( access (etcname, F_OK) && errno == ENOENT )
183 /* A non existent system trustlist is not an error.
184 Just print a note. */
185 log_info (_("system trustlist `%s' not available\n"), etcname);
189 err2 = read_one_trustfile (etcname, 0,
190 &table, &tablesize, &tableidx);
199 if (tableidx == tablesize) /* Need more space. */
204 tmplen = tablesize + 20;
205 tmp = xtryrealloc (table, tmplen * sizeof *table);
208 err = gpg_error_from_syserror ();
215 ti = table + tableidx;
217 memset (&ti->flags, 0, sizeof ti->flags);
220 ti->flags.disabled = 1;
226 n = hexcolon2bin (p, ti->fpr, 20);
229 log_error (_("bad fingerprint in `%s', line %d\n"), fname, lnr);
230 err = gpg_error (GPG_ERR_BAD_DATA);
234 for (; spacep (p); p++)
237 /* Process the first flag which needs to be the first for
238 backward compatibility. */
239 if (!*p || *p == '*' )
241 ti->flags.for_smime = 1;
242 ti->flags.for_pgp = 1;
244 else if ( *p == 'P' || *p == 'p')
246 ti->flags.for_pgp = 1;
248 else if ( *p == 'S' || *p == 's')
250 ti->flags.for_smime = 1;
254 log_error (_("invalid keyflag in `%s', line %d\n"), fname, lnr);
255 err = gpg_error (GPG_ERR_BAD_DATA);
259 if ( *p && !spacep (p) )
261 log_error (_("invalid keyflag in `%s', line %d\n"), fname, lnr);
262 err = gpg_error (GPG_ERR_BAD_DATA);
266 /* Now check for more key-value pairs of the form NAME[=VALUE]. */
269 for (; spacep (p); p++)
273 n = strcspn (p, "= \t");
276 log_error ("assigning a value to a flag is not yet supported; "
277 "in `%s', line %d\n", fname, lnr);
278 err = gpg_error (GPG_ERR_BAD_DATA);
281 else if (n == 5 && !memcmp (p, "relax", 5))
283 else if (n == 2 && !memcmp (p, "cm", 2))
286 log_error ("flag `%.*s' in `%s', line %d ignored\n",
292 if ( !err && !feof (fp) )
294 err = gpg_error_from_syserror ();
295 log_error (_("error reading `%s', line %d: %s\n"),
296 fname, lnr, gpg_strerror (err));
302 *addr_of_table = table;
303 *addr_of_tablesize = tablesize;
304 *addr_of_tableidx = tableidx;
309 /* Read the trust files and update the global table on success. */
311 read_trustfiles (void)
314 trustitem_t *table, *ti;
318 int allow_include = 1;
321 table = xtrycalloc (tablesize, sizeof *table);
323 return gpg_error_from_syserror ();
326 fname = make_filename (opt.homedir, "trustlist.txt", NULL);
327 if ( access (fname, F_OK) )
329 if ( errno == ENOENT )
330 ; /* Silently ignore a non-existing trustfile. */
333 err = gpg_error_from_syserror ();
334 log_error (_("error opening `%s': %s\n"), fname, gpg_strerror (err));
337 fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
340 err = read_one_trustfile (fname, allow_include,
341 &table, &tablesize, &tableidx);
347 if (gpg_err_code (err) == GPG_ERR_ENOENT)
349 /* Take a missing trustlist as an empty one. */
354 unlock_trusttable ();
360 /* Fixme: we should drop duplicates and sort the table. */
361 ti = xtryrealloc (table, (tableidx?tableidx:1) * sizeof *table);
364 err = gpg_error_from_syserror ();
372 trusttablesize = tableidx;
373 unlock_trusttable ();
379 /* Check whether the given fpr is in our trustdb. We expect FPR to be
380 an all uppercase hexstring of 40 characters. */
382 agent_istrusted (ctrl_t ctrl, const char *fpr, int *r_disabled)
387 unsigned char fprbin[20];
392 if ( hexcolon2bin (fpr, fprbin, 20) < 0 )
393 return gpg_error (GPG_ERR_INV_VALUE);
397 err = read_trustfiles ();
400 log_error (_("error reading list of trusted root certificates\n"));
407 for (ti=trusttable, len = trusttablesize; len; ti++, len--)
408 if (!memcmp (ti->fpr, fprbin, 20))
410 if (ti->flags.disabled && r_disabled)
415 err = agent_write_status (ctrl,
416 "TRUSTLISTFLAG", "relax",
421 else if (ti->flags.cm)
423 err = agent_write_status (ctrl,
424 "TRUSTLISTFLAG", "cm",
429 return ti->flags.disabled? gpg_error (GPG_ERR_NOT_TRUSTED) : 0;
432 return gpg_error (GPG_ERR_NOT_TRUSTED);
436 /* Write all trust entries to FP. */
438 agent_listtrusted (void *assuan_context)
447 err = read_trustfiles ();
450 log_error (_("error reading list of trusted root certificates\n"));
457 /* We need to lock the table because the scheduler may interrupt
458 assuan_send_data and an other thread may then re-read the table. */
460 for (ti=trusttable, len = trusttablesize; len; ti++, len--)
462 if (ti->flags.disabled)
464 bin2hex (ti->fpr, 20, key);
466 key[41] = ((ti->flags.for_smime && ti->flags.for_pgp)? '*'
467 : ti->flags.for_smime? 'S': ti->flags.for_pgp? 'P':' ');
469 assuan_send_data (assuan_context, key, 43);
470 assuan_send_data (assuan_context, NULL, 0); /* flush */
472 unlock_trusttable ();
479 /* Create a copy of string with colons inserted after each two bytes.
480 Caller needs to release the string. In case of a memory failure,
483 insert_colons (const char *string)
486 size_t n = strlen (string);
487 size_t nnew = n + (n+1)/2;
489 p = buffer = xtrymalloc ( nnew + 1 );
503 assert (strlen (buffer) <= nnew);
509 /* To pretty print DNs in the Pinentry, we replace slashes by
510 REPLSTRING. The caller needs to free the returned string. NULL is
511 returned on error with ERRNO set. */
513 reformat_name (const char *name, const char *replstring)
519 size_t replstringlen = strlen (replstring);
521 /* If the name does not start with a slash it is not a preformatted
522 DN and thus we don't bother to reformat it. */
524 return xtrystrdup (name);
526 /* Count the names. Note that a slash contained in a DN part is
527 expected to be C style escaped and thus the slashes we see here
528 are the actual part delimiters. */
529 for (s=name+1, count=0; *s; s++)
532 newname = xtrymalloc (strlen (name) + count*replstringlen + 1);
535 for (s=name+1, d=newname; *s; s++)
537 d = stpcpy (d, replstring);
545 /* Insert the given fpr into our trustdb. We expect FPR to be an all
546 uppercase hexstring of 40 characters. FLAG is either 'P' or 'C'.
547 This function does first check whether that key has already been put
548 into the trustdb and returns success in this case. Before a FPR
549 actually gets inserted, the user is asked by means of the Pinentry
550 whether this is actual want he wants to do. */
552 agent_marktrusted (ctrl_t ctrl, const char *name, const char *fpr, int flag)
563 /* Check whether we are at all allowed to modify the trustlist.
564 This is useful so that the trustlist may be a symlink to a global
565 trustlist with only admin priviliges to modify it. Of course
566 this is not a secure way of denying access, but it avoids the
567 usual clicking on an Okay button most users are used to. */
568 fname = make_filename (opt.homedir, "trustlist.txt", NULL);
569 if ( access (fname, W_OK) && errno != ENOENT)
572 return gpg_error (GPG_ERR_EPERM);
576 if (!agent_istrusted (ctrl, fpr, &is_disabled))
578 return 0; /* We already got this fingerprint. Silently return
582 /* This feature must explicitly been enabled. */
583 if (!opt.allow_mark_trusted)
584 return gpg_error (GPG_ERR_NOT_SUPPORTED);
588 /* There is an disabled entry in the trustlist. Return an error
589 so that the user won't be asked again for that one. Changing
590 this flag with the integrated marktrusted feature is and will
591 not be made possible. */
592 return gpg_error (GPG_ERR_NOT_TRUSTED);
596 /* Insert a new one. */
597 nameformatted = reformat_name (name, "%0A ");
599 return gpg_error_from_syserror ();
601 /* First a general question whether this is trusted. */
602 desc = xtryasprintf (
603 /* TRANSLATORS: This prompt is shown by the Pinentry
604 and has one special property: A "%%0A" is used by
605 Pinentry to insert a line break. The double
606 percent sign is actually needed because it is also
607 a printf format string. If you need to insert a
608 plain % sign, you need to encode it as "%%25". The
609 "%s" gets replaced by the name as stored in the
611 _("Do you ultimately trust%%0A"
613 "to correctly certify user certificates?"),
617 xfree (nameformatted);
618 return out_of_core ();
620 err = agent_get_confirmation (ctrl, desc, _("Yes"), _("No"), 1);
624 else if (gpg_err_code (err) == GPG_ERR_NOT_CONFIRMED)
628 xfree (nameformatted);
633 fprformatted = insert_colons (fpr);
636 xfree (nameformatted);
637 return out_of_core ();
640 /* If the user trusts this certificate he has to verify the
641 fingerprint of course. */
646 /* TRANSLATORS: This prompt is shown by the Pinentry and has
647 one special property: A "%%0A" is used by Pinentry to
648 insert a line break. The double percent sign is actually
649 needed because it is also a printf format string. If you
650 need to insert a plain % sign, you need to encode it as
651 "%%25". The second "%s" gets replaced by a hexdecimal
652 fingerprint string whereas the first one receives the name
653 as stored in the certificate. */
654 _("Please verify that the certificate identified as:%%0A"
656 "has the fingerprint:%%0A"
657 " %s"), nameformatted, fprformatted);
660 xfree (fprformatted);
661 xfree (nameformatted);
662 return out_of_core ();
665 /* TRANSLATORS: "Correct" is the label of a button and intended
666 to be hit if the fingerprint matches the one of the CA. The
667 other button is "the default "Cancel" of the Pinentry. */
668 err = agent_get_confirmation (ctrl, desc, _("Correct"), _("Wrong"), 1);
670 if (gpg_err_code (err) == GPG_ERR_NOT_CONFIRMED)
674 xfree (fprformatted);
675 xfree (nameformatted);
681 /* Now check again to avoid duplicates. We take the lock to make
682 sure that nobody else plays with our file and force a reread. */
684 agent_reload_trustlist ();
685 if (!agent_istrusted (ctrl, fpr, &is_disabled) || is_disabled)
687 unlock_trusttable ();
688 xfree (fprformatted);
689 xfree (nameformatted);
690 return is_disabled? gpg_error (GPG_ERR_NOT_TRUSTED) : 0;
693 fname = make_filename (opt.homedir, "trustlist.txt", NULL);
694 if ( access (fname, F_OK) && errno == ENOENT)
696 fp = es_fopen (fname, "wx");
699 err = gpg_error_from_syserror ();
700 log_error ("can't create `%s': %s\n", fname, gpg_strerror (err));
702 unlock_trusttable ();
703 xfree (fprformatted);
704 xfree (nameformatted);
707 es_fputs (headerblurb, fp);
710 fp = es_fopen (fname, "a+");
713 err = gpg_error_from_syserror ();
714 log_error ("can't open `%s': %s\n", fname, gpg_strerror (err));
716 unlock_trusttable ();
717 xfree (fprformatted);
718 xfree (nameformatted);
722 /* Append the key. */
723 es_fputs ("\n# ", fp);
724 xfree (nameformatted);
725 nameformatted = reformat_name (name, "\n# ");
726 if (!nameformatted || strchr (name, '\n'))
728 /* Note that there should never be a LF in NAME but we better
729 play safe and print a sanitized version in this case. */
730 es_write_sanitized (fp, name, strlen (name), NULL, NULL);
733 es_fputs (nameformatted, fp);
734 es_fprintf (fp, "\n%s%s %c\n", yes_i_trust?"":"!", fprformatted, flag);
736 err = gpg_error_from_syserror ();
739 err = gpg_error_from_syserror ();
741 agent_reload_trustlist ();
743 unlock_trusttable ();
744 xfree (fprformatted);
745 xfree (nameformatted);
750 /* This function may be called to force reloading of the
753 agent_reload_trustlist (void)
755 /* All we need to do is to delete the trusttable. At the next
756 access it will get re-read. */
761 unlock_trusttable ();
762 bump_key_eventcounter ();