diff options
Diffstat (limited to 'g10/tofu.c')
-rw-r--r-- | g10/tofu.c | 4033 |
1 files changed, 4033 insertions, 0 deletions
diff --git a/g10/tofu.c b/g10/tofu.c new file mode 100644 index 0000000..9cdcfaa --- /dev/null +++ b/g10/tofu.c @@ -0,0 +1,4033 @@ +/* tofu.c - TOFU trust model. + * Copyright (C) 2015, 2016 g10 Code GmbH + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <https://www.gnu.org/licenses/>. + */ + +/* TODO: + + - Format the fingerprints nicely when printing (similar to gpg + --list-keys) + */ + +#include <config.h> +#include <stdio.h> +#include <sys/stat.h> +#include <stdarg.h> +#include <sqlite3.h> +#include <time.h> + +#include "gpg.h" +#include "../common/types.h" +#include "../common/logging.h" +#include "../common/stringhelp.h" +#include "options.h" +#include "../common/mbox-util.h" +#include "../common/i18n.h" +#include "../common/ttyio.h" +#include "trustdb.h" +#include "../common/mkdir_p.h" +#include "gpgsql.h" +#include "../common/status.h" + +#include "tofu.h" + + +#define CONTROL_L ('L' - 'A' + 1) + +/* Number of days with signed / ecnrypted messages required to + * indicate that enough history is available for basic trust. */ +#define BASIC_TRUST_THRESHOLD 4 +/* Number of days with signed / encrypted messages required to + * indicate that a lot of history is available. */ +#define FULL_TRUST_THRESHOLD 21 + + +/* A struct with data pertaining to the tofu DB. There is one such + struct per session and it is cached in session's ctrl structure. + To initialize this or get the current singleton, call opendbs(). + There is no need to explicitly release it; cleanup is done when the + CTRL object is released. */ +struct tofu_dbs_s +{ + sqlite3 *db; + char *want_lock_file; + time_t want_lock_file_ctime; + + struct + { + sqlite3_stmt *savepoint_batch; + sqlite3_stmt *savepoint_batch_commit; + + sqlite3_stmt *record_binding_get_old_policy; + sqlite3_stmt *record_binding_update; + sqlite3_stmt *get_policy_select_policy_and_conflict; + sqlite3_stmt *get_trust_bindings_with_this_email; + sqlite3_stmt *get_trust_gather_other_user_ids; + sqlite3_stmt *get_trust_gather_signature_stats; + sqlite3_stmt *get_trust_gather_encryption_stats; + sqlite3_stmt *register_already_seen; + sqlite3_stmt *register_signature; + sqlite3_stmt *register_encryption; + } s; + + int in_batch_transaction; + int in_transaction; + time_t batch_update_started; +}; + + +#define STRINGIFY(s) STRINGIFY2(s) +#define STRINGIFY2(s) #s + +/* The grouping parameters when collecting signature statistics. */ + +/* If a message is signed a couple of hours in the future, just assume + some clock skew. */ +#define TIME_AGO_FUTURE_IGNORE (2 * 60 * 60) +/* Days. */ +#define TIME_AGO_UNIT_SMALL (24 * 60 * 60) +#define TIME_AGO_SMALL_THRESHOLD (7 * TIME_AGO_UNIT_SMALL) +/* Months. */ +#define TIME_AGO_UNIT_MEDIUM (30 * 24 * 60 * 60) +#define TIME_AGO_MEDIUM_THRESHOLD (2 * TIME_AGO_UNIT_MEDIUM) +/* Years. */ +#define TIME_AGO_UNIT_LARGE (365 * 24 * 60 * 60) +#define TIME_AGO_LARGE_THRESHOLD (2 * TIME_AGO_UNIT_LARGE) + +/* Local prototypes. */ +static gpg_error_t end_transaction (ctrl_t ctrl, int only_batch); +static char *email_from_user_id (const char *user_id); +static int show_statistics (tofu_dbs_t dbs, + const char *fingerprint, const char *email, + enum tofu_policy policy, + estream_t outfp, int only_status_fd, time_t now); + +const char * +tofu_policy_str (enum tofu_policy policy) +{ + switch (policy) + { + case TOFU_POLICY_NONE: return "none"; + case TOFU_POLICY_AUTO: return "auto"; + case TOFU_POLICY_GOOD: return "good"; + case TOFU_POLICY_UNKNOWN: return "unknown"; + case TOFU_POLICY_BAD: return "bad"; + case TOFU_POLICY_ASK: return "ask"; + default: return "???"; + } +} + +/* Convert a binding policy (e.g., TOFU_POLICY_BAD) to a trust level + (e.g., TRUST_BAD) in light of the current configuration. */ +int +tofu_policy_to_trust_level (enum tofu_policy policy) +{ + if (policy == TOFU_POLICY_AUTO) + /* If POLICY is AUTO, fallback to OPT.TOFU_DEFAULT_POLICY. */ + policy = opt.tofu_default_policy; + + switch (policy) + { + case TOFU_POLICY_AUTO: + /* If POLICY and OPT.TOFU_DEFAULT_POLICY are both AUTO, default + to marginal trust. */ + return TRUST_MARGINAL; + case TOFU_POLICY_GOOD: + return TRUST_FULLY; + case TOFU_POLICY_UNKNOWN: + return TRUST_UNKNOWN; + case TOFU_POLICY_BAD: + return TRUST_NEVER; + case TOFU_POLICY_ASK: + return TRUST_UNKNOWN; + default: + log_bug ("Bad value for trust policy: %d\n", + opt.tofu_default_policy); + return 0; + } +} + + + +/* Start a transaction on DB. If ONLY_BATCH is set, then this will + start a batch transaction if we haven't started a batch transaction + and one has been requested. */ +static gpg_error_t +begin_transaction (ctrl_t ctrl, int only_batch) +{ + tofu_dbs_t dbs = ctrl->tofu.dbs; + int rc; + char *err = NULL; + + log_assert (dbs); + + /* If we've been in batch update mode for a while (on average, more + * than 500 ms), to prevent starving other gpg processes, we drop + * and retake the batch lock. + * + * Note: gnupg_get_time has a one second resolution, if we wanted a + * higher resolution, we could use npth_clock_gettime. */ + if (/* No real transactions. */ + dbs->in_transaction == 0 + /* There is an open batch transaction. */ + && dbs->in_batch_transaction + /* And some time has gone by since it was started. */ + && dbs->batch_update_started != gnupg_get_time ()) + { + struct stat statbuf; + + /* If we are in a batch update, then batch updates better have + been enabled. */ + log_assert (ctrl->tofu.batch_updated_wanted); + + /* Check if another process wants to run. (We just ignore any + * stat failure. A waiter might have to wait a bit longer, but + * otherwise there should be no impact.) */ + if (gnupg_stat (dbs->want_lock_file, &statbuf) == 0 + && statbuf.st_ctime != dbs->want_lock_file_ctime) + { + end_transaction (ctrl, 2); + + /* Yield to allow another process a chance to run. Note: + * testing suggests that anything less than a 100ms tends to + * not result in the other process getting the lock. */ + gnupg_usleep (100000); + } + else + dbs->batch_update_started = gnupg_get_time (); + } + + if (/* We don't have an open batch transaction. */ + !dbs->in_batch_transaction + && (/* Batch mode is enabled or we are starting a new transaction. */ + ctrl->tofu.batch_updated_wanted || dbs->in_transaction == 0)) + { + struct stat statbuf; + + /* We are in batch mode, but we don't have an open batch + * transaction. Since the batch save point must be the outer + * save point, it must be taken before the inner save point. */ + log_assert (dbs->in_transaction == 0); + + rc = gpgsql_stepx (dbs->db, &dbs->s.savepoint_batch, + NULL, NULL, &err, + "begin immediate transaction;", GPGSQL_ARG_END); + if (rc) + { + log_error (_("error beginning transaction on TOFU database: %s\n"), + err); + sqlite3_free (err); + return gpg_error (GPG_ERR_GENERAL); + } + + dbs->in_batch_transaction = 1; + dbs->batch_update_started = gnupg_get_time (); + + if (gnupg_stat (dbs->want_lock_file, &statbuf) == 0) + dbs->want_lock_file_ctime = statbuf.st_ctime; + } + + if (only_batch) + return 0; + + log_assert (dbs->in_transaction >= 0); + dbs->in_transaction ++; + + rc = gpgsql_exec_printf (dbs->db, NULL, NULL, &err, + "savepoint inner%d;", + dbs->in_transaction); + if (rc) + { + log_error (_("error beginning transaction on TOFU database: %s\n"), + err); + sqlite3_free (err); + return gpg_error (GPG_ERR_GENERAL); + } + + return 0; +} + + +/* Commit a transaction. If ONLY_BATCH is 1, then this only ends the + * batch transaction if we have left batch mode. If ONLY_BATCH is 2, + * this commits any open batch transaction even if we are still in + * batch mode. */ +static gpg_error_t +end_transaction (ctrl_t ctrl, int only_batch) +{ + tofu_dbs_t dbs = ctrl->tofu.dbs; + int rc; + char *err = NULL; + + if (only_batch || (! only_batch && dbs->in_transaction == 1)) + { + if (!dbs) + return 0; /* Shortcut to allow for easier cleanup code. */ + + /* If we are releasing the batch transaction, then we better not + be in a normal transaction. */ + if (only_batch) + log_assert (dbs->in_transaction == 0); + + if (/* Batch mode disabled? */ + (!ctrl->tofu.batch_updated_wanted || only_batch == 2) + /* But, we still have an open batch transaction? */ + && dbs->in_batch_transaction) + { + /* The batch transaction is still in open, but we've left + * batch mode. */ + dbs->in_batch_transaction = 0; + dbs->in_transaction = 0; + + rc = gpgsql_stepx (dbs->db, &dbs->s.savepoint_batch_commit, + NULL, NULL, &err, + "commit transaction;", GPGSQL_ARG_END); + if (rc) + { + log_error (_("error committing transaction on TOFU database: %s\n"), + err); + sqlite3_free (err); + return gpg_error (GPG_ERR_GENERAL); + } + + return 0; + } + + if (only_batch) + return 0; + } + + log_assert (dbs); + log_assert (dbs->in_transaction > 0); + + rc = gpgsql_exec_printf (dbs->db, NULL, NULL, &err, + "release inner%d;", dbs->in_transaction); + + dbs->in_transaction --; + + if (rc) + { + log_error (_("error committing transaction on TOFU database: %s\n"), + err); + sqlite3_free (err); + return gpg_error (GPG_ERR_GENERAL); + } + + return 0; +} + + +static gpg_error_t +rollback_transaction (ctrl_t ctrl) +{ + tofu_dbs_t dbs = ctrl->tofu.dbs; + int rc; + char *err = NULL; + + log_assert (dbs); + log_assert (dbs->in_transaction > 0); + + /* Be careful to not undo any progress made by closed transactions in + batch mode. */ + rc = gpgsql_exec_printf (dbs->db, NULL, NULL, &err, + "rollback to inner%d;", + dbs->in_transaction); + + dbs->in_transaction --; + + if (rc) + { + log_error (_("error rolling back transaction on TOFU database: %s\n"), + err); + sqlite3_free (err); + return gpg_error (GPG_ERR_GENERAL); + } + + return 0; +} + +void +tofu_begin_batch_update (ctrl_t ctrl) +{ + ctrl->tofu.batch_updated_wanted ++; +} + +void +tofu_end_batch_update (ctrl_t ctrl) +{ + log_assert (ctrl->tofu.batch_updated_wanted > 0); + ctrl->tofu.batch_updated_wanted --; + end_transaction (ctrl, 1); +} + +/* Suspend any extant batch transaction (it is safe to call this even + no batch transaction has been started). Note: you cannot suspend a + batch transaction if you are in a normal transaction. The batch + transaction can be resumed explicitly by calling + tofu_resume_batch_transaction or implicitly by starting a normal + transaction. */ +static void +tofu_suspend_batch_transaction (ctrl_t ctrl) +{ + end_transaction (ctrl, 2); +} + +/* Resume a batch transaction if there is no extant batch transaction + and one has been requested using tofu_begin_batch_transaction. */ +static void +tofu_resume_batch_transaction (ctrl_t ctrl) +{ + begin_transaction (ctrl, 1); +} + + + +/* Wrapper around strtol which prints a warning in case of a + * conversion error. On success the converted value is stored at + * R_VALUE and 0 is returned; on error FALLBACK is stored at R_VALUE + * and an error code is returned. */ +static gpg_error_t +string_to_long (long *r_value, const char *string, long fallback, int line) +{ + gpg_error_t err; + char *tail = NULL; + + gpg_err_set_errno (0); + *r_value = strtol (string, &tail, 0); + if (errno || !(!strcmp (tail, ".0") || !*tail)) + { + err = errno? gpg_error_from_errno (errno) : gpg_error (GPG_ERR_BAD_DATA); + log_debug ("%s:%d: strtol failed for TOFU DB data; returned string" + " (string='%.10s%s'; tail='%.10s%s'): %s\n", + __FILE__, line, + string, string && strlen(string) > 10 ? "..." : "", + tail, tail && strlen(tail) > 10 ? "..." : "", + gpg_strerror (err)); + *r_value = fallback; + } + else + err = 0; + + return err; +} + + +/* Wrapper around strtoul which prints a warning in case of a + * conversion error. On success the converted value is stored at + * R_VALUE and 0 is returned; on error FALLBACK is stored at R_VALUE + * and an error code is returned. */ +static gpg_error_t +string_to_ulong (unsigned long *r_value, const char *string, + unsigned long fallback, int line) +{ + gpg_error_t err; + char *tail = NULL; + + gpg_err_set_errno (0); + *r_value = strtoul (string, &tail, 0); + if (errno || !(!strcmp (tail, ".0") || !*tail)) + { + err = errno? gpg_error_from_errno (errno) : gpg_error (GPG_ERR_BAD_DATA); + log_debug ("%s:%d: strtoul failed for TOFU DB data; returned string" + " (string='%.10s%s'; tail='%.10s%s'): %s\n", + __FILE__, line, + string, string && strlen(string) > 10 ? "..." : "", + tail, tail && strlen(tail) > 10 ? "..." : "", + gpg_strerror (err)); + *r_value = fallback; + } + else + err = 0; + + return err; +} + + + +/* Collect results of a select count (*) ...; style query. Aborts if + the argument is not a valid integer (or real of the form X.0). */ +static int +get_single_unsigned_long_cb (void *cookie, int argc, char **argv, + char **azColName) +{ + unsigned long int *count = cookie; + + (void) azColName; + + log_assert (argc == 1); + + if (string_to_ulong (count, argv[0], 0, __LINE__)) + return 1; /* Abort. */ + return 0; +} + +static int +get_single_unsigned_long_cb2 (void *cookie, int argc, char **argv, + char **azColName, sqlite3_stmt *stmt) +{ + (void) stmt; + return get_single_unsigned_long_cb (cookie, argc, argv, azColName); +} + +/* We expect a single integer column whose name is "version". COOKIE + must point to an int. This function always aborts. On error or a + if the version is bad, sets *VERSION to -1. */ +static int +version_check_cb (void *cookie, int argc, char **argv, char **azColName) +{ + int *version = cookie; + + if (argc != 1 || strcmp (azColName[0], "version") != 0) + { + *version = -1; + return 1; + } + + if (strcmp (argv[0], "1") == 0) + *version = 1; + else + { + log_error (_("unsupported TOFU database version: %s\n"), argv[0]); + *version = -1; + } + + /* Don't run again. */ + return 1; +} + +static int +check_utks (sqlite3 *db) +{ + int rc; + char *err = NULL; + struct key_item *utks; + struct key_item *ki; + int utk_count; + char *utks_string = NULL; + char keyid_str[16+1]; + long utks_unchanged = 0; + + /* An early version of the v1 format did not include the list of + * known ultimately trusted keys. + * + * This list is used to detect when the set of ultimately trusted + * keys changes. We need to detect this to invalidate the effective + * policy, which can change if an ultimately trusted key is added or + * removed. */ + rc = sqlite3_exec (db, + "create table if not exists ultimately_trusted_keys" + " (keyid);\n", + NULL, NULL, &err); + if (rc) + { + log_error ("error creating 'ultimately_trusted_keys' TOFU table: %s\n", + err); + sqlite3_free (err); + goto out; + } + + + utks = tdb_utks (); + for (ki = utks, utk_count = 0; ki; ki = ki->next, utk_count ++) + ; + + if (utk_count) + { + /* Build a list of keyids of the form "XXX","YYY","ZZZ". */ + int len = (1 + 16 + 1 + 1) * utk_count; + int o = 0; + + utks_string = xmalloc (len); + *utks_string = 0; + for (ki = utks, utk_count = 0; ki; ki = ki->next, utk_count ++) + { + utks_string[o ++] = '\''; + format_keyid (ki->kid, KF_LONG, + keyid_str, sizeof (keyid_str)); + memcpy (&utks_string[o], keyid_str, 16); + o += 16; + utks_string[o ++] = '\''; + utks_string[o ++] = ','; + } + utks_string[o - 1] = 0; + log_assert (o == len); + } + + rc = gpgsql_exec_printf + (db, get_single_unsigned_long_cb, &utks_unchanged, &err, + "select" + /* Removed UTKs? (Known UTKs in current UTKs.) */ + " ((select count(*) from ultimately_trusted_keys" + " where (keyid in (%s))) == %d)" + " and" + /* New UTKs? */ + " ((select count(*) from ultimately_trusted_keys" + " where keyid not in (%s)) == 0);", + utks_string ? utks_string : "", + utk_count, + utks_string ? utks_string : ""); + xfree (utks_string); + if (rc) + { + log_error (_("TOFU DB error")); + print_further_info ("checking if ultimately trusted keys changed: %s", + err); + sqlite3_free (err); + goto out; + } + + if (utks_unchanged) + goto out; + + if (DBG_TRUST) + log_debug ("TOFU: ultimately trusted keys changed.\n"); + + /* Given that the set of ultimately trusted keys + * changed, clear any cached policies. */ + rc = gpgsql_exec_printf + (db, NULL, NULL, &err, + "update bindings set effective_policy = %d;", + TOFU_POLICY_NONE); + if (rc) + { + log_error (_("TOFU DB error")); + print_further_info ("clearing cached policies: %s", err); + sqlite3_free (err); + goto out; + } + + /* Now, update the UTK table. */ + rc = sqlite3_exec (db, + "drop table ultimately_trusted_keys;", + NULL, NULL, &err); + if (rc) + { + log_error (_("TOFU DB error")); + print_further_info ("dropping ultimately_trusted_keys: %s", err); + sqlite3_free (err); + goto out; + } + + rc = sqlite3_exec (db, + "create table if not exists" + " ultimately_trusted_keys (keyid);\n", + NULL, NULL, &err); + if (rc) + { + log_error (_("TOFU DB error")); + print_further_info ("creating ultimately_trusted_keys: %s", err); + sqlite3_free (err); + goto out; + } + + for (ki = utks; ki; ki = ki->next) + { + format_keyid (ki->kid, KF_LONG, + keyid_str, sizeof (keyid_str)); + rc = gpgsql_exec_printf + (db, NULL, NULL, &err, + "insert into ultimately_trusted_keys values ('%s');", + keyid_str); + if (rc) + { + log_error (_("TOFU DB error")); + print_further_info ("updating ultimately_trusted_keys: %s", + err); + sqlite3_free (err); + goto out; + } + } + + out: + return rc; +} + +/* If the DB is new, initialize it. Otherwise, check the DB's + version. + + Return 0 if the database is okay and 1 otherwise. */ +static int +initdb (sqlite3 *db) +{ + char *err = NULL; + int rc; + unsigned long int count; + int version = -1; + + rc = sqlite3_exec (db, "begin transaction;", NULL, NULL, &err); + if (rc) + { + log_error (_("error beginning transaction on TOFU database: %s\n"), + err); + sqlite3_free (err); + return 1; + } + + /* If the DB has no tables, then assume this is a new DB that needs + to be initialized. */ + rc = sqlite3_exec (db, + "select count(*) from sqlite_master where type='table';", + get_single_unsigned_long_cb, &count, &err); + if (rc) + { + log_error (_("error reading TOFU database: %s\n"), err); + print_further_info ("query available tables"); + sqlite3_free (err); + goto out; + } + else if (count != 0) + /* Assume that the DB is already initialized. Make sure the + version is okay. */ + { + rc = sqlite3_exec (db, "select version from version;", version_check_cb, + &version, &err); + if (rc == SQLITE_ABORT && version == 1) + /* Happy, happy, joy, joy. */ + { + sqlite3_free (err); + rc = 0; + goto out; + } + else if (rc == SQLITE_ABORT && version == -1) + /* Unsupported version. */ + { + /* An error message was already displayed. */ + sqlite3_free (err); + goto out; + } + else if (rc) + /* Some error. */ + { + log_error (_("error determining TOFU database's version: %s\n"), err); + sqlite3_free (err); + goto out; + } + else + { + /* Unexpected success. This can only happen if there are no + rows. (select returned 0, but expected ABORT.) */ + log_error (_("error determining TOFU database's version: %s\n"), + gpg_strerror (GPG_ERR_NO_DATA)); + rc = 1; + goto out; + } + } + + /* Create the version table. */ + rc = sqlite3_exec (db, + "create table version (version INTEGER);", + NULL, NULL, &err); + if (rc) + { + log_error (_("error initializing TOFU database: %s\n"), err); + print_further_info ("create version"); + sqlite3_free (err); + goto out; + } + + /* Initialize the version table, which contains a single integer + value. */ + rc = sqlite3_exec (db, + "insert into version values (1);", + NULL, NULL, &err); + if (rc) + { + log_error (_("error initializing TOFU database: %s\n"), err); + print_further_info ("insert version"); + sqlite3_free (err); + goto out; + } + + /* The list of <fingerprint, email> bindings and auxiliary data. + * + * OID is a unique ID identifying this binding (and used by the + * signatures table, see below). Note: OIDs will never be + * reused. + * + * FINGERPRINT: The key's fingerprint. + * + * EMAIL: The normalized email address. + * + * USER_ID: The unmodified user id from which EMAIL was extracted. + * + * TIME: The time this binding was first observed. + * + * POLICY: The trust policy (TOFU_POLICY_BAD, etc. as an integer). + * + * CONFLICT is either NULL or a fingerprint. Assume that we have + * a binding <0xdeadbeef, foo@example.com> and then we observe + * <0xbaddecaf, foo@example.com>. There two bindings conflict + * (they have the same email address). When we observe the + * latter binding, we warn the user about the conflict and ask + * for a policy decision about the new binding. We also change + * the old binding's policy to ask if it was auto. So that we + * know why this occurred, we also set conflict to 0xbaddecaf. + */ + rc = gpgsql_exec_printf + (db, NULL, NULL, &err, + "create table bindings\n" + " (oid INTEGER PRIMARY KEY AUTOINCREMENT,\n" + " fingerprint TEXT, email TEXT, user_id TEXT, time INTEGER,\n" + " policy INTEGER CHECK (policy in (%d, %d, %d, %d, %d)),\n" + " conflict STRING,\n" + " unique (fingerprint, email));\n" + "create index bindings_fingerprint_email\n" + " on bindings (fingerprint, email);\n" + "create index bindings_email on bindings (email);\n", + TOFU_POLICY_AUTO, TOFU_POLICY_GOOD, TOFU_POLICY_UNKNOWN, + TOFU_POLICY_BAD, TOFU_POLICY_ASK); + if (rc) + { + log_error (_("error initializing TOFU database: %s\n"), err); + print_further_info ("create bindings"); + sqlite3_free (err); + goto out; + } + + /* The signatures that we have observed. + * + * BINDING refers to a record in the bindings table, which + * describes the binding (i.e., this is a foreign key that + * references bindings.oid). + * + * SIG_DIGEST is the digest stored in the signature. + * + * SIG_TIME is the timestamp stored in the signature. + * + * ORIGIN is a free-form string that describes who fed this + * signature to GnuPG (e.g., email:claws). + * + * TIME is the time this signature was registered. */ + rc = sqlite3_exec (db, + "create table signatures " + " (binding INTEGER NOT NULL, sig_digest TEXT," + " origin TEXT, sig_time INTEGER, time INTEGER," + " primary key (binding, sig_digest, origin));", + NULL, NULL, &err); + if (rc) + { + log_error (_("error initializing TOFU database: %s\n"), err); + print_further_info ("create signatures"); + sqlite3_free (err); + goto out; + } + + out: + if (! rc) + { + /* Early version of the v1 format did not include the encryption + table. Add it. */ + rc = sqlite3_exec (db, + "create table if not exists encryptions" + " (binding INTEGER NOT NULL," + " time INTEGER);" + "create index if not exists encryptions_binding" + " on encryptions (binding);\n", + NULL, NULL, &err); + if (rc) + { + log_error ("error creating 'encryptions' TOFU table: %s\n", + err); + sqlite3_free (err); + } + } + if (! rc) + { + /* The effective policy for a binding. If a key is ultimately + * trusted, then the effective policy of all of its bindings is + * good. Likewise if a key is signed by an ultimately trusted + * key, etc. If the effective policy is NONE, then we need to + * recompute the effective policy. Otherwise, the effective + * policy is considered to be up to date, i.e., effective_policy + * is a cache of the computed policy. */ + rc = gpgsql_exec_printf + (db, NULL, NULL, &err, + "alter table bindings" + " add column effective_policy INTEGER" + " DEFAULT %d" + " CHECK (effective_policy in (%d, %d, %d, %d, %d, %d));", + TOFU_POLICY_NONE, + TOFU_POLICY_NONE, TOFU_POLICY_AUTO, TOFU_POLICY_GOOD, + TOFU_POLICY_UNKNOWN, TOFU_POLICY_BAD, TOFU_POLICY_ASK); + if (rc) + { + if (rc == SQLITE_ERROR) + /* Almost certainly "duplicate column name", which we can + * safely ignore. */ + rc = 0; + else + log_error ("adding column effective_policy to bindings DB: %s\n", + err); + sqlite3_free (err); + } + } + + if (! rc) + rc = check_utks (db); + + if (rc) + { + rc = sqlite3_exec (db, "rollback;", NULL, NULL, &err); + if (rc) + { + log_error (_("error rolling back transaction on TOFU database: %s\n"), + err); + sqlite3_free (err); + } + return 1; + } + else + { + rc = sqlite3_exec (db, "end transaction;", NULL, NULL, &err); + if (rc) + { + log_error (_("error committing transaction on TOFU database: %s\n"), + err); + sqlite3_free (err); + return 1; + } + return 0; + } +} + +static int +busy_handler (void *cookie, int call_count) +{ + ctrl_t ctrl = cookie; + tofu_dbs_t dbs = ctrl->tofu.dbs; + + (void) call_count; + + /* Update the want-lock-file time stamp (specifically, the ctime) so + * that the current owner knows that we (well, someone) want the + * lock. */ + if (dbs) + { + /* Note: we don't fail if we can't create the lock file: this + * process will have to wait a bit longer, but otherwise nothing + * horrible should happen. */ + + estream_t fp; + + fp = es_fopen (dbs->want_lock_file, "w"); + if (! fp) + log_debug ("TOFU: Error opening '%s': %s\n", + dbs->want_lock_file, strerror (errno)); + else + es_fclose (fp); + } + + /* Call again. */ + return 1; +} + +/* Create a new DB handle. Returns NULL on error. */ +/* FIXME: Change to return an error code for better reporting by the + caller. */ +static tofu_dbs_t +opendbs (ctrl_t ctrl) +{ + char *filename; + sqlite3 *db; + int rc; + + if (!ctrl->tofu.dbs) + { + filename = make_filename (gnupg_homedir (), "tofu.db", NULL); + + rc = sqlite3_open (filename, &db); + if (rc) + { + log_error (_("error opening TOFU database '%s': %s\n"), + filename, sqlite3_errmsg (db)); + /* Even if an error occurs, DB is guaranteed to be valid. */ + sqlite3_close (db); + db = NULL; + } + + /* If a DB is locked wait up to 5 seconds for the lock to be cleared + before failing. */ + if (db) + { + sqlite3_busy_timeout (db, 5 * 1000); + sqlite3_busy_handler (db, busy_handler, ctrl); + } + + if (db && initdb (db)) + { + sqlite3_close (db); + db = NULL; + } + + if (db) + { + ctrl->tofu.dbs = xmalloc_clear (sizeof *ctrl->tofu.dbs); + ctrl->tofu.dbs->db = db; + ctrl->tofu.dbs->want_lock_file = xasprintf ("%s-want-lock", filename); + } + + xfree (filename); + } + else + log_assert (ctrl->tofu.dbs->db); + + return ctrl->tofu.dbs; +} + + +/* Release all of the resources associated with the DB handle. */ +void +tofu_closedbs (ctrl_t ctrl) +{ + tofu_dbs_t dbs; + sqlite3_stmt **statements; + + dbs = ctrl->tofu.dbs; + if (!dbs) + return; /* Not initialized. */ + + log_assert (dbs->in_transaction == 0); + + end_transaction (ctrl, 2); + + /* Arghh, that is a surprising use of the struct. */ + for (statements = (void *) &dbs->s; + (void *) statements < (void *) &(&dbs->s)[1]; + statements ++) + sqlite3_finalize (*statements); + + sqlite3_close (dbs->db); + xfree (dbs->want_lock_file); + xfree (dbs); + ctrl->tofu.dbs = NULL; +} + + +/* Collect results of a select min (foo) ...; style query. Aborts if + the argument is not a valid integer (or real of the form X.0). */ +static int +get_single_long_cb (void *cookie, int argc, char **argv, char **azColName) +{ + long *count = cookie; + + (void) azColName; + + log_assert (argc == 1); + + if (string_to_long (count, argv[0], 0, __LINE__)) + return 1; /* Abort. */ + + return 0; +} + +static int +get_single_long_cb2 (void *cookie, int argc, char **argv, char **azColName, + sqlite3_stmt *stmt) +{ + (void) stmt; + return get_single_long_cb (cookie, argc, argv, azColName); +} + +/* Record (or update) a trust policy about a (possibly new) + binding. + + If SHOW_OLD is set, the binding's old policy is displayed. */ +static gpg_error_t +record_binding (tofu_dbs_t dbs, const char *fingerprint, const char *email, + const char *user_id, + enum tofu_policy policy, enum tofu_policy effective_policy, + const char *conflict, int set_conflict, + int show_old, time_t now) +{ + char *fingerprint_pp = format_hexfingerprint (fingerprint, NULL, 0); + gpg_error_t rc; + char *err = NULL; + + if (! (policy == TOFU_POLICY_AUTO + || policy == TOFU_POLICY_GOOD + || policy == TOFU_POLICY_UNKNOWN + || policy == TOFU_POLICY_BAD + || policy == TOFU_POLICY_ASK)) + log_bug ("%s: Bad value for policy (%d)!\n", __func__, policy); + + + if (DBG_TRUST || show_old) + { + /* Get the old policy. Since this is just for informational + * purposes, there is no need to start a transaction or to die + * if there is a failure. */ + + /* policy_old needs to be a long and not an enum tofu_policy, + because we pass it by reference to get_single_long_cb2, which + expects a long. */ + long policy_old = TOFU_POLICY_NONE; + + rc = gpgsql_stepx + (dbs->db, &dbs->s.record_binding_get_old_policy, + get_single_long_cb2, &policy_old, &err, + "select policy from bindings where fingerprint = ? and email = ?", + GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email, + GPGSQL_ARG_END); + if (rc) + { + log_debug ("TOFU: Error reading from binding database" + " (reading policy for <key: %s, user id: %s>): %s\n", + fingerprint, email, err); + sqlite3_free (err); + } + + if (policy_old != TOFU_POLICY_NONE) + (show_old ? log_info : log_debug) + ("Changing TOFU trust policy for binding" + " <key: %s, user id: %s> from %s to %s.\n", + fingerprint, show_old ? user_id : email, + tofu_policy_str (policy_old), + tofu_policy_str (policy)); + else + (show_old ? log_info : log_debug) + ("Setting TOFU trust policy for new binding" + " <key: %s, user id: %s> to %s.\n", + fingerprint, show_old ? user_id : email, + tofu_policy_str (policy)); + } + + if (opt.dry_run) + { + log_info ("TOFU database update skipped due to --dry-run\n"); + rc = 0; + goto leave; + } + + rc = gpgsql_stepx + (dbs->db, &dbs->s.record_binding_update, NULL, NULL, &err, + "insert or replace into bindings\n" + " (oid, fingerprint, email, user_id, time," + " policy, conflict, effective_policy)\n" + " values (\n" + /* If we don't explicitly reuse the OID, then SQLite will + * reallocate a new one. We just need to search for the OID + * based on the fingerprint and email since they are unique. */ + " (select oid from bindings where fingerprint = ? and email = ?),\n" + " ?, ?, ?, ?, ?," + /* If SET_CONFLICT is 0, then preserve conflict's current value. */ + " case ?" + " when 0 then" + " (select conflict from bindings where fingerprint = ? and email = ?)" + " else ?" + " end," + " ?);", + /* oid subquery. */ + GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email, + /* values 2 through 6. */ + GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email, + GPGSQL_ARG_STRING, user_id, + GPGSQL_ARG_LONG_LONG, (long long) now, + GPGSQL_ARG_INT, (int) policy, + /* conflict subquery. */ + GPGSQL_ARG_INT, set_conflict ? 1 : 0, + GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email, + GPGSQL_ARG_STRING, conflict ? conflict : "", + GPGSQL_ARG_INT, (int) effective_policy, + GPGSQL_ARG_END); + if (rc) + { + log_error (_("error updating TOFU database: %s\n"), err); + print_further_info (" insert bindings <key: %s, user id: %s> = %s", + fingerprint, email, tofu_policy_str (policy)); + sqlite3_free (err); + goto leave; + } + + leave: + xfree (fingerprint_pp); + return rc; +} + + +/* Collect the strings returned by a query in a simple string list. + Any NULL values are converted to the empty string. + + If a result has 3 rows and each row contains two columns, then the + results are added to the list as follows (the value is parentheses + is the 1-based index in the final list): + + row 1, col 2 (6) + row 1, col 1 (5) + row 2, col 2 (4) + row 2, col 1 (3) + row 3, col 2 (2) + row 3, col 1 (1) + + This is because add_to_strlist pushes the results onto the front of + the list. The end result is that the rows are backwards, but the + columns are in the expected order. */ +static int +strings_collect_cb (void *cookie, int argc, char **argv, char **azColName) +{ + int i; + strlist_t *strlist = cookie; + + (void) azColName; + + for (i = argc - 1; i >= 0; i --) + add_to_strlist (strlist, argv[i] ? argv[i] : ""); + + return 0; +} + +static int +strings_collect_cb2 (void *cookie, int argc, char **argv, char **azColName, + sqlite3_stmt *stmt) +{ + (void) stmt; + return strings_collect_cb (cookie, argc, argv, azColName); + +} + +/* Auxiliary data structure to collect statistics about + signatures. */ +struct signature_stats +{ + struct signature_stats *next; + + /* The user-assigned policy for this binding. */ + enum tofu_policy policy; + + /* How long ago the signature was created (rounded to a multiple of + TIME_AGO_UNIT_SMALL, etc.). */ + long time_ago; + /* Number of signatures during this time. */ + unsigned long count; + + /* If the corresponding key/user id has been expired / revoked. */ + int is_expired; + int is_revoked; + + /* The key that generated this signature. */ + char fingerprint[1]; +}; + +static void +signature_stats_free (struct signature_stats *stats) +{ + while (stats) + { + struct signature_stats *next = stats->next; + xfree (stats); + stats = next; + } +} + +static void +signature_stats_prepend (struct signature_stats **statsp, + const char *fingerprint, + enum tofu_policy policy, + long time_ago, + unsigned long count) +{ + struct signature_stats *stats = + xmalloc_clear (sizeof (*stats) + strlen (fingerprint)); + + stats->next = *statsp; + *statsp = stats; + + strcpy (stats->fingerprint, fingerprint); + stats->policy = policy; + stats->time_ago = time_ago; + stats->count = count; +} + + +/* Process rows that contain the four columns: + + <fingerprint, policy, time ago, count>. */ +static int +signature_stats_collect_cb (void *cookie, int argc, char **argv, + char **azColName, sqlite3_stmt *stmt) +{ + struct signature_stats **statsp = cookie; + int i = 0; + enum tofu_policy policy; + long time_ago; + unsigned long count; + long along; + + (void) azColName; + (void) stmt; + + i ++; + + if (string_to_long (&along, argv[i], 0, __LINE__)) + return 1; /* Abort */ + policy = along; + i ++; + + if (! argv[i]) + time_ago = 0; + else + { + if (string_to_long (&time_ago, argv[i], 0, __LINE__)) + return 1; /* Abort. */ + } + i ++; + + /* If time_ago is NULL, then we had no messages, but we still have a + single row, which count(*) turns into 1. */ + if (! argv[i - 1]) + count = 0; + else + { + if (string_to_ulong (&count, argv[i], 0, __LINE__)) + return 1; /* Abort */ + } + i ++; + + log_assert (argc == i); + + signature_stats_prepend (statsp, argv[0], policy, time_ago, count); + + return 0; +} + +/* Format the first part of a conflict message and return that as a + * malloced string. Returns NULL on error. */ +static char * +format_conflict_msg_part1 (int policy, strlist_t conflict_set, + const char *email) +{ + estream_t fp; + char *fingerprint; + char *tmpstr, *text; + + log_assert (conflict_set); + fingerprint = conflict_set->d; + + fp = es_fopenmem (0, "rw,samethread"); + if (!fp) + log_fatal ("error creating memory stream: %s\n", + gpg_strerror (gpg_error_from_syserror())); + + if (policy == TOFU_POLICY_NONE) + { + es_fprintf (fp, + _("This is the first time the email address \"%s\" is " + "being used with key %s."), + email, fingerprint); + es_fputs (" ", fp); + } + else if (policy == TOFU_POLICY_ASK && conflict_set->next) + { + int conflicts = strlist_length (conflict_set); + es_fprintf + (fp, ngettext("The email address \"%s\" is associated with %d key!", + "The email address \"%s\" is associated with %d keys!", + conflicts), + email, conflicts); + if (opt.verbose) + es_fprintf (fp, + _(" Since this binding's policy was 'auto', it has been " + "changed to 'ask'.")); + es_fputs (" ", fp); + } + + es_fprintf (fp, + _("Please indicate whether this email address should" + " be associated with key %s or whether you think someone" + " is impersonating \"%s\"."), + fingerprint, email); + es_fputc ('\n', fp); + + es_fputc (0, fp); + if (es_fclose_snatch (fp, (void **)&tmpstr, NULL)) + log_fatal ("error snatching memory stream\n"); + text = format_text (tmpstr, 72, 80); + es_free (tmpstr); + + return text; +} + + +/* Return 1 if A signed B and B signed A. */ +static int +cross_sigs (const char *email, kbnode_t a, kbnode_t b) +{ + int i; + + PKT_public_key *a_pk = a->pkt->pkt.public_key; + PKT_public_key *b_pk = b->pkt->pkt.public_key; + + char a_keyid[33]; + char b_keyid[33]; + + if (DBG_TRUST) + { + format_keyid (pk_main_keyid (a_pk), + KF_LONG, a_keyid, sizeof (a_keyid)); + format_keyid (pk_main_keyid (b_pk), + KF_LONG, b_keyid, sizeof (b_keyid)); + } + + for (i = 0; i < 2; i ++) + { + /* See if SIGNER signed SIGNEE. */ + + kbnode_t signer = i == 0 ? a : b; + kbnode_t signee = i == 0 ? b : a; + + PKT_public_key *signer_pk = signer->pkt->pkt.public_key; + u32 *signer_kid = pk_main_keyid (signer_pk); + kbnode_t n; + + int saw_email = 0; + + /* Iterate over SIGNEE's keyblock and see if there is a valid + signature from SIGNER. */ + for (n = signee; n; n = n->next) + { + PKT_signature *sig; + + if (n->pkt->pkttype == PKT_USER_ID) + { + if (saw_email) + /* We're done: we've processed all signatures on the + user id. */ + break; + else + { + /* See if this is the matching user id. */ + PKT_user_id *user_id = n->pkt->pkt.user_id; + char *email2 = email_from_user_id (user_id->name); + + if (strcmp (email, email2) == 0) + saw_email = 1; + + xfree (email2); + } + } + + if (! saw_email) + continue; + + if (n->pkt->pkttype != PKT_SIGNATURE) + continue; + + sig = n->pkt->pkt.signature; + + if (! (sig->sig_class == 0x10 + || sig->sig_class == 0x11 + || sig->sig_class == 0x12 + || sig->sig_class == 0x13)) + /* Not a signature over a user id. */ + continue; + + /* SIG is on SIGNEE's keyblock. If SIG was generated by the + signer, then it's a match. */ + if (keyid_cmp (sig->keyid, signer_kid) == 0) + /* Match! */ + break; + } + if (! n) + /* We didn't find a signature from signer over signee. */ + { + if (DBG_TRUST) + log_debug ("No cross sig between %s and %s\n", + a_keyid, b_keyid); + return 0; + } + } + + /* A signed B and B signed A. */ + if (DBG_TRUST) + log_debug ("Cross sig between %s and %s\n", + a_keyid, b_keyid); + + return 1; +} + +/* Return whether the key was signed by an ultimately trusted key. */ +static int +signed_by_utk (const char *email, kbnode_t a) +{ + kbnode_t n; + int saw_email = 0; + + for (n = a; n; n = n->next) + { + PKT_signature *sig; + + if (n->pkt->pkttype == PKT_USER_ID) + { + if (saw_email) + /* We're done: we've processed all signatures on the + user id. */ + break; + else + { + /* See if this is the matching user id. */ + PKT_user_id *user_id = n->pkt->pkt.user_id; + char *email2 = email_from_user_id (user_id->name); + + if (strcmp (email, email2) == 0) + saw_email = 1; + + xfree (email2); + } + } + + if (! saw_email) + continue; + + if (n->pkt->pkttype != PKT_SIGNATURE) + continue; + + sig = n->pkt->pkt.signature; + + if (! (sig->sig_class == 0x10 + || sig->sig_class == 0x11 + || sig->sig_class == 0x12 + || sig->sig_class == 0x13)) + /* Not a signature over a user id. */ + continue; + + /* SIG is on SIGNEE's keyblock. If SIG was generated by the + signer, then it's a match. */ + if (tdb_keyid_is_utk (sig->keyid)) + { + /* Match! */ + if (DBG_TRUST) + log_debug ("TOFU: %s is signed by an ultimately trusted key.\n", + pk_keyid_str (a->pkt->pkt.public_key)); + + return 1; + } + } + + if (DBG_TRUST) + log_debug ("TOFU: %s is NOT signed by an ultimately trusted key.\n", + pk_keyid_str (a->pkt->pkt.public_key)); + + return 0; +} + + +enum + { + BINDING_NEW = 1 << 0, + BINDING_CONFLICT = 1 << 1, + BINDING_EXPIRED = 1 << 2, + BINDING_REVOKED = 1 << 3 + }; + + +/* Ask the user about the binding. There are three ways we could end + * up here: + * + * - This is a new binding and there is a conflict + * (policy == TOFU_POLICY_NONE && conflict_set_count > 1), + * + * - This is a new binding and opt.tofu_default_policy is set to + * ask. (policy == TOFU_POLICY_NONE && opt.tofu_default_policy == + * TOFU_POLICY_ASK), or, + * + * - The policy is ask (the user deferred last time) (policy == + * TOFU_POLICY_ASK). + * + * Note: this function must not be called while in a transaction! + * + * CONFLICT_SET includes all of the conflicting bindings + * with FINGERPRINT first. FLAGS is a bit-wise or of + * BINDING_NEW, etc. + */ +static void +ask_about_binding (ctrl_t ctrl, + enum tofu_policy *policy, + int *trust_level, + strlist_t conflict_set, + const char *fingerprint, + const char *email, + const char *user_id, + time_t now) +{ + tofu_dbs_t dbs; + strlist_t iter; + int conflict_set_count = strlist_length (conflict_set); + char *sqerr = NULL; + int rc; + estream_t fp; + strlist_t other_user_ids = NULL; + struct signature_stats *stats = NULL; + struct signature_stats *stats_iter = NULL; + char *prompt = NULL; + const char *choices; + + dbs = ctrl->tofu.dbs; + log_assert (dbs); + log_assert (dbs->in_transaction == 0); + + fp = es_fopenmem (0, "rw,samethread"); + if (!fp) + log_fatal ("error creating memory stream: %s\n", + gpg_strerror (gpg_error_from_syserror())); + + { + char *text = format_conflict_msg_part1 (*policy, conflict_set, email); + if (!text) /* FIXME: Return the error all the way up. */ + log_fatal ("format failed: %s\n", + gpg_strerror (gpg_error_from_syserror())); + + es_fputs (text, fp); + es_fputc ('\n', fp); + xfree (text); + } + + begin_transaction (ctrl, 0); + + /* Find other user ids associated with this key and whether the + * bindings are marked as good or bad. */ + rc = gpgsql_stepx + (dbs->db, &dbs->s.get_trust_gather_other_user_ids, + strings_collect_cb2, &other_user_ids, &sqerr, + "select user_id, policy from bindings where fingerprint = ?;", + GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_END); + if (rc) + { + log_error (_("error gathering other user IDs: %s\n"), sqerr); + sqlite3_free (sqerr); + sqerr = NULL; + rc = gpg_error (GPG_ERR_GENERAL); + } + + if (other_user_ids) + { + strlist_t strlist_iter; + + es_fprintf (fp, _("This key's user IDs:\n")); + for (strlist_iter = other_user_ids; + strlist_iter; + strlist_iter = strlist_iter->next) + { + char *other_user_id = strlist_iter->d; + char *other_thing; + enum tofu_policy other_policy; + + log_assert (strlist_iter->next); + strlist_iter = strlist_iter->next; + other_thing = strlist_iter->d; + + other_policy = atoi (other_thing); + + es_fprintf (fp, " %s (", other_user_id); + es_fprintf (fp, _("policy: %s"), tofu_policy_str (other_policy)); + es_fprintf (fp, ")\n"); + } + es_fprintf (fp, "\n"); + + free_strlist (other_user_ids); + } + + /* Get the stats for all the keys in CONFLICT_SET. */ + strlist_rev (&conflict_set); + for (iter = conflict_set; iter && ! rc; iter = iter->next) + { +#define STATS_SQL(table, time, sign) \ + "select fingerprint, policy, time_ago, count(*)\n" \ + " from\n" \ + " (select bindings.*,\n" \ + " "sign" case\n" \ + " when delta ISNULL then 1\n" \ + /* From the future (but if its just a couple of hours in the \ + * future don't turn it into a warning)? Or should we use \ + * small, medium or large units? (Note: whatever we do, we \ + * keep the value in seconds. Then when we group, everything \ + * that rounds to the same number of seconds is grouped.) */ \ + " when delta < -("STRINGIFY (TIME_AGO_FUTURE_IGNORE)") then 2\n" \ + " when delta < ("STRINGIFY (TIME_AGO_SMALL_THRESHOLD)")\n" \ + " then 3\n" \ + " when delta < ("STRINGIFY (TIME_AGO_MEDIUM_THRESHOLD)")\n" \ + " then 4\n" \ + " when delta < ("STRINGIFY (TIME_AGO_LARGE_THRESHOLD)")\n" \ + " then 5\n" \ + " else 6\n" \ + " end time_ago,\n" \ + " delta time_ago_raw\n" \ + " from bindings\n" \ + " left join\n" \ + " (select *,\n" \ + " cast(? - " time " as real) delta\n" \ + " from " table ") ss\n" \ + " on ss.binding = bindings.oid)\n" \ + " where email = ? and fingerprint = ?\n" \ + " group by time_ago\n" \ + /* Make sure the current key is first. */ \ + " order by time_ago desc;\n" + + /* Use the time when we saw the signature, not when the + signature was created as that can be forged. */ + rc = gpgsql_stepx + (dbs->db, &dbs->s.get_trust_gather_signature_stats, + signature_stats_collect_cb, &stats, &sqerr, + STATS_SQL ("signatures", "time", ""), + GPGSQL_ARG_LONG_LONG, (long long) now, + GPGSQL_ARG_STRING, email, + GPGSQL_ARG_STRING, iter->d, + GPGSQL_ARG_END); + if (rc) + { + rc = gpg_error (GPG_ERR_GENERAL); + break; + } + + if (!stats || strcmp (iter->d, stats->fingerprint) != 0) + /* No stats for this binding. Add a dummy entry. */ + signature_stats_prepend (&stats, iter->d, TOFU_POLICY_AUTO, 1, 1); + + rc = gpgsql_stepx + (dbs->db, &dbs->s.get_trust_gather_encryption_stats, + signature_stats_collect_cb, &stats, &sqerr, + STATS_SQL ("encryptions", "time", "-"), + GPGSQL_ARG_LONG_LONG, (long long) now, + GPGSQL_ARG_STRING, email, + GPGSQL_ARG_STRING, iter->d, + GPGSQL_ARG_END); + if (rc) + { + rc = gpg_error (GPG_ERR_GENERAL); + break; + } + +#undef STATS_SQL + + if (!stats || strcmp (iter->d, stats->fingerprint) != 0 + || stats->time_ago > 0) + /* No stats for this binding. Add a dummy entry. */ + signature_stats_prepend (&stats, iter->d, TOFU_POLICY_AUTO, -1, 1); + } + end_transaction (ctrl, 0); + strlist_rev (&conflict_set); + if (rc) + { + strlist_t strlist_iter; + + log_error (_("error gathering signature stats: %s\n"), sqerr); + sqlite3_free (sqerr); + sqerr = NULL; + + es_fprintf (fp, ngettext("The email address \"%s\" is" + " associated with %d key:\n", + "The email address \"%s\" is" + " associated with %d keys:\n", + conflict_set_count), + email, conflict_set_count); + for (strlist_iter = conflict_set; + strlist_iter; + strlist_iter = strlist_iter->next) + es_fprintf (fp, " %s\n", strlist_iter->d); + } + else + { + char *key = NULL; + strlist_t binding; + int seen_in_past = 0; + int encrypted = 1; + + es_fprintf (fp, _("Statistics for keys" + " with the email address \"%s\":\n"), + email); + for (stats_iter = stats; stats_iter; stats_iter = stats_iter->next) + { +#if 0 + log_debug ("%s: time_ago: %ld; count: %ld\n", + stats_iter->fingerprint, + stats_iter->time_ago, + stats_iter->count); +#endif + + if (stats_iter->time_ago > 0 && encrypted) + { + /* We've change from the encrypted stats to the verified + * stats. Reset SEEN_IN_PAST. */ + encrypted = 0; + seen_in_past = 0; + } + + if (! key || strcmp (key, stats_iter->fingerprint)) + { + int this_key; + char *key_pp; + + key = stats_iter->fingerprint; + this_key = strcmp (key, fingerprint) == 0; + key_pp = format_hexfingerprint (key, NULL, 0); + es_fprintf (fp, " %s (", key_pp); + + /* Find the associated binding. */ + for (binding = conflict_set; + binding; + binding = binding->next) + if (strcmp (key, binding->d) == 0) + break; + log_assert (binding); + + if ((binding->flags & BINDING_REVOKED)) + { + es_fprintf (fp, _("revoked")); + es_fprintf (fp, ", "); + } + else if ((binding->flags & BINDING_EXPIRED)) + { + es_fprintf (fp, _("expired")); + es_fprintf (fp, ", "); + } + + if (this_key) + es_fprintf (fp, _("this key")); + else + es_fprintf (fp, _("policy: %s"), + tofu_policy_str (stats_iter->policy)); + es_fputs ("):\n", fp); + xfree (key_pp); + + seen_in_past = 0; + + show_statistics (dbs, stats_iter->fingerprint, email, + TOFU_POLICY_ASK, NULL, 1, now); + } + + if (labs(stats_iter->time_ago) == 1) + { + /* The 1 in this case is the NULL entry. */ + log_assert (stats_iter->count == 1); + stats_iter->count = 0; + } + seen_in_past += stats_iter->count; + + es_fputs (" ", fp); + + if (!stats_iter->count) + { + if (stats_iter->time_ago > 0) + es_fprintf (fp, ngettext("Verified %d message.", + "Verified %d messages.", + seen_in_past), seen_in_past); + else + es_fprintf (fp, ngettext("Encrypted %d message.", + "Encrypted %d messages.", + seen_in_past), seen_in_past); + } + else if (labs(stats_iter->time_ago) == 2) + { + if (stats_iter->time_ago > 0) + es_fprintf (fp, ngettext("Verified %d message in the future.", + "Verified %d messages in the future.", + seen_in_past), seen_in_past); + else + es_fprintf (fp, ngettext("Encrypted %d message in the future.", + "Encrypted %d messages in the future.", + seen_in_past), seen_in_past); + /* Reset it. */ + seen_in_past = 0; + } + else + { + if (labs(stats_iter->time_ago) == 3) + { + int days = 1 + stats_iter->time_ago / TIME_AGO_UNIT_SMALL; + if (stats_iter->time_ago > 0) + es_fprintf + (fp, + ngettext("Messages verified over the past %d day: %d.", + "Messages verified over the past %d days: %d.", + days), days, seen_in_past); + else + es_fprintf + (fp, + ngettext("Messages encrypted over the past %d day: %d.", + "Messages encrypted over the past %d days: %d.", + days), days, seen_in_past); + } + else if (labs(stats_iter->time_ago) == 4) + { + int months = 1 + stats_iter->time_ago / TIME_AGO_UNIT_MEDIUM; + if (stats_iter->time_ago > 0) + es_fprintf + (fp, + ngettext("Messages verified over the past %d month: %d.", + "Messages verified over the past %d months: %d.", + months), months, seen_in_past); + else + es_fprintf + (fp, + ngettext("Messages encrypted over the past %d month: %d.", + "Messages encrypted over the past %d months: %d.", + months), months, seen_in_past); + } + else if (labs(stats_iter->time_ago) == 5) + { + int years = 1 + stats_iter->time_ago / TIME_AGO_UNIT_LARGE; + if (stats_iter->time_ago > 0) + es_fprintf + (fp, + ngettext("Messages verified over the past %d year: %d.", + "Messages verified over the past %d years: %d.", + years), years, seen_in_past); + else + es_fprintf + (fp, + ngettext("Messages encrypted over the past %d year: %d.", + "Messages encrypted over the past %d years: %d.", + years), years, seen_in_past); + } + else if (labs(stats_iter->time_ago) == 6) + { + if (stats_iter->time_ago > 0) + es_fprintf + (fp, _("Messages verified in the past: %d."), + seen_in_past); + else + es_fprintf + (fp, _("Messages encrypted in the past: %d."), + seen_in_past); + } + else + log_assert (! "Broken SQL.\n"); + } + es_fputs ("\n", fp); + } + } + + if (conflict_set_count > 1 || (conflict_set->flags & BINDING_CONFLICT)) + { + /* This is a conflict. */ + + /* TRANSLATORS: Please translate the text found in the source + * file below. We don't directly internationalize that text so + * that we can tweak it without breaking translations. */ + const char *text = _("TOFU detected a binding conflict"); + char *textbuf; + if (!strcmp (text, "TOFU detected a binding conflict")) + { + /* No translation. Use the English text. */ + text = + "Normally, an email address is associated with a single key. " + "However, people sometimes generate a new key if " + "their key is too old or they think it might be compromised. " + "Alternatively, a new key may indicate a man-in-the-middle " + "attack! Before accepting this association, you should talk to or " + "call the person to make sure this new key is legitimate."; + } + textbuf = format_text (text, 72, 80); + es_fprintf (fp, "\n%s\n", textbuf? textbuf : "[OUT OF CORE!]"); + xfree (textbuf); + } + + es_fputc ('\n', fp); + + /* Add a NUL terminator. */ + es_fputc (0, fp); + if (es_fclose_snatch (fp, (void **) &prompt, NULL)) + log_fatal ("error snatching memory stream\n"); + + /* I think showing the large message once is sufficient. If we + * would move it right before the cpr_get many lines will scroll + * away and the user might not realize that he merely entered a + * wrong choice (because he does not see that either). As a small + * benefit we allow C-L to redisplay everything. */ + tty_printf ("%s", prompt); + + /* Suspend any transaction: it could take a while until the user + responds. */ + tofu_suspend_batch_transaction (ctrl); + while (1) + { + char *response; + + /* TRANSLATORS: Two letters (normally the lower and upper case + * version of the hotkey) for each of the five choices. If + * there is only one choice in your language, repeat it. */ + choices = _("gG" "aA" "uU" "rR" "bB"); + if (strlen (choices) != 10) + log_bug ("Bad TOFU conflict translation! Please report."); + + response = cpr_get + ("tofu.conflict", + _("(G)ood, (A)ccept once, (U)nknown, (R)eject once, (B)ad? ")); + trim_spaces (response); + cpr_kill_prompt (); + if (*response == CONTROL_L) + tty_printf ("%s", prompt); + else if (!response[0]) + /* Default to unknown. Don't save it. */ + { + tty_printf (_("Defaulting to unknown.\n")); + *policy = TOFU_POLICY_UNKNOWN; + break; + } + else if (!response[1]) + { + char *choice = strchr (choices, *response); + + if (choice) + { + int c = ((size_t) choice - (size_t) choices) / 2; + + switch (c) + { + case 0: /* Good. */ + *policy = TOFU_POLICY_GOOD; + *trust_level = tofu_policy_to_trust_level (*policy); + break; + case 1: /* Accept once. */ + *policy = TOFU_POLICY_ASK; + *trust_level = tofu_policy_to_trust_level (TOFU_POLICY_GOOD); + break; + case 2: /* Unknown. */ + *policy = TOFU_POLICY_UNKNOWN; + *trust_level = tofu_policy_to_trust_level (*policy); + break; + case 3: /* Reject once. */ + *policy = TOFU_POLICY_ASK; + *trust_level = tofu_policy_to_trust_level (TOFU_POLICY_BAD); + break; + case 4: /* Bad. */ + *policy = TOFU_POLICY_BAD; + *trust_level = tofu_policy_to_trust_level (*policy); + break; + default: + log_bug ("c should be between 0 and 4 but it is %d!", c); + } + + if (record_binding (dbs, fingerprint, email, user_id, + *policy, TOFU_POLICY_NONE, NULL, 0, 0, now)) + { + /* If there's an error registering the + * binding, don't save the signature. */ + *trust_level = _tofu_GET_TRUST_ERROR; + } + break; + } + } + xfree (response); + } + + tofu_resume_batch_transaction (ctrl); + + xfree (prompt); + + signature_stats_free (stats); +} + +/* Return the set of keys that conflict with the binding <fingerprint, + email> (including the binding itself, which will be first in the + list). For each returned key also sets BINDING_NEW, etc. */ +static strlist_t +build_conflict_set (ctrl_t ctrl, tofu_dbs_t dbs, + PKT_public_key *pk, const char *fingerprint, + const char *email) +{ + gpg_error_t rc; + char *sqerr; + strlist_t conflict_set = NULL; + int conflict_set_count; + strlist_t iter; + kbnode_t *kb_all; + KEYDB_HANDLE hd; + int i; + + /* Get the fingerprints of any bindings that share the email address + * and whether the bindings have a known conflict. + * + * Note: if the binding in question is in the DB, it will also be + * returned. Thus, if the result set is empty, then <email, + * fingerprint> is a new binding. */ + rc = gpgsql_stepx + (dbs->db, &dbs->s.get_trust_bindings_with_this_email, + strings_collect_cb2, &conflict_set, &sqerr, + "select" + /* A binding should only appear once, but try not to break in the + * case of corruption. */ + " fingerprint || case sum(conflict NOTNULL) when 0 then '' else '!' end" + " from bindings where email = ?" + " group by fingerprint" + /* Make sure the current key comes first in the result list (if + it is present). */ + " order by fingerprint = ? asc, fingerprint desc;", + GPGSQL_ARG_STRING, email, + GPGSQL_ARG_STRING, fingerprint, + GPGSQL_ARG_END); + if (rc) + { + log_error (_("error reading TOFU database: %s\n"), sqerr); + print_further_info ("listing fingerprints"); + sqlite3_free (sqerr); + rc = gpg_error (GPG_ERR_GENERAL); + return NULL; + } + + /* Set BINDING_CONFLICT if the binding has a known conflict. This + * allows us to distinguish between bindings where the user + * explicitly set the policy to ask and bindings where we set the + * policy to ask due to a conflict. */ + for (iter = conflict_set; iter; iter = iter->next) + { + int l = strlen (iter->d); + if (!(l == 2 * MAX_FINGERPRINT_LEN + || l == 2 * MAX_FINGERPRINT_LEN + 1)) + { + log_error (_("TOFU db corruption detected.\n")); + print_further_info ("fingerprint '%s' is not %d characters long", + iter->d, 2 * MAX_FINGERPRINT_LEN); + } + + if (l >= 1 && iter->d[l - 1] == '!') + { + iter->flags |= BINDING_CONFLICT; + /* Remove the !. */ + iter->d[l - 1] = 0; + } + } + + /* If the current binding has not yet been recorded, add it to the + * list. (The order by above ensures that if it is present, it will + * be first.) */ + if (! (conflict_set && strcmp (conflict_set->d, fingerprint) == 0)) + { + add_to_strlist (&conflict_set, fingerprint); + conflict_set->flags |= BINDING_NEW; + } + + conflict_set_count = strlist_length (conflict_set); + + /* Eliminate false conflicts. */ + + if (conflict_set_count == 1) + /* We only have a single key. There are no false conflicts to + eliminate. But, we do need to set the flags. */ + { + if (pk->has_expired) + conflict_set->flags |= BINDING_EXPIRED; + if (pk->flags.revoked) + conflict_set->flags |= BINDING_REVOKED; + + return conflict_set; + } + + /* If two keys have cross signatures, then they are controlled by + * the same person and thus are not in conflict. */ + kb_all = xcalloc (sizeof (kb_all[0]), conflict_set_count); + hd = keydb_new (); + for (i = 0, iter = conflict_set; + i < conflict_set_count; + i ++, iter = iter->next) + { + char *fp = iter->d; + KEYDB_SEARCH_DESC desc; + kbnode_t kb; + PKT_public_key *binding_pk; + kbnode_t n; + int found_user_id; + + rc = keydb_search_reset (hd); + if (rc) + { + log_error ("resetting keydb failed: %s\n", gpg_strerror (rc)); + continue; + } + + rc = classify_user_id (fp, &desc, 0); + if (rc) + { + log_error (_("error parsing key specification '%s': %s\n"), + fp, gpg_strerror (rc)); + continue; + } + + rc = keydb_search (hd, &desc, 1, NULL); + if (rc) + { + /* Note: it is entirely possible that we don't have the key + corresponding to an entry in the TOFU DB. This can + happen if we merge two TOFU DBs, but not the key + rings. */ + log_info (_("key \"%s\" not found: %s\n"), + fp, gpg_strerror (rc)); + continue; + } + + rc = keydb_get_keyblock (hd, &kb); + if (rc) + { + log_error (_("error reading keyblock: %s\n"), + gpg_strerror (rc)); + print_further_info ("fingerprint: %s", fp); + continue; + } + + merge_keys_and_selfsig (ctrl, kb); + + log_assert (kb->pkt->pkttype == PKT_PUBLIC_KEY); + + kb_all[i] = kb; + + /* Since we have the key block, use this opportunity to figure + * out if the binding is expired or revoked. */ + binding_pk = kb->pkt->pkt.public_key; + + /* The binding is always expired/revoked if the key is + * expired/revoked. */ + if (binding_pk->has_expired) + iter->flags |= BINDING_EXPIRED; + if (binding_pk->flags.revoked) + iter->flags |= BINDING_REVOKED; + + /* The binding is also expired/revoked if the user id is + * expired/revoked. */ + n = kb; + found_user_id = 0; + while ((n = find_next_kbnode (n, PKT_USER_ID)) && ! found_user_id) + { + PKT_user_id *user_id2 = n->pkt->pkt.user_id; + char *email2; + + if (user_id2->attrib_data) + continue; + + email2 = email_from_user_id (user_id2->name); + + if (strcmp (email, email2) == 0) + { + found_user_id = 1; + + if (user_id2->flags.revoked) + iter->flags |= BINDING_REVOKED; + if (user_id2->flags.expired) + iter->flags |= BINDING_EXPIRED; + } + + xfree (email2); + } + + if (! found_user_id) + { + log_info (_("TOFU db corruption detected.\n")); + print_further_info ("user id '%s' not on key block '%s'", + email, fingerprint); + } + } + keydb_release (hd); + + /* Now that we have the key blocks, check for cross sigs. */ + { + int j; + strlist_t *prevp; + strlist_t iter_next; + int *die; + + log_assert (conflict_set_count > 0); + die = xtrycalloc (conflict_set_count, sizeof *die); + if (!die) + { + /*err = gpg_error_from_syserror ();*/ + xoutofcore (); /* Fixme: Let the function return an error. */ + } + + for (i = 0; i < conflict_set_count; i ++) + { + /* Look for cross sigs between this key (i == 0) or a key + * that has cross sigs with i == 0 (i.e., transitively) */ + if (! (i == 0 || die[i])) + continue; + + for (j = i + 1; j < conflict_set_count; j ++) + /* Be careful: we might not have a key block for a key. */ + if (kb_all[i] && kb_all[j] && cross_sigs (email, kb_all[i], kb_all[j])) + die[j] = 1; + } + + /* Free unconflicting bindings (and all of the key blocks). */ + for (iter = conflict_set, prevp = &conflict_set, i = 0; + iter; + iter = iter_next, i ++) + { + iter_next = iter->next; + + release_kbnode (kb_all[i]); + + if (die[i]) + { + *prevp = iter_next; + iter->next = NULL; + free_strlist (iter); + conflict_set_count --; + } + else + { + prevp = &iter->next; + } + } + + /* We shouldn't have removed the head. */ + log_assert (conflict_set); + log_assert (conflict_set_count >= 1); + xfree (die); + } + xfree (kb_all); + + if (DBG_TRUST) + { + log_debug ("binding <key: %s, email: %s> conflicts:\n", + fingerprint, email); + for (iter = conflict_set; iter; iter = iter->next) + { + log_debug (" %s:%s%s%s%s\n", + iter->d, + (iter->flags & BINDING_NEW) ? " new" : "", + (iter->flags & BINDING_CONFLICT) ? " known_conflict" : "", + (iter->flags & BINDING_EXPIRED) ? " expired" : "", + (iter->flags & BINDING_REVOKED) ? " revoked" : ""); + } + } + + return conflict_set; +} + + +/* Return the effective policy for the binding <FINGERPRINT, EMAIL> + * (email has already been normalized). Returns + * _tofu_GET_POLICY_ERROR if an error occurs. Returns any conflict + * information in *CONFLICT_SETP if CONFLICT_SETP is not NULL and the + * returned policy is TOFU_POLICY_ASK (consequently, if there is a + * conflict, but the user set the policy to good *CONFLICT_SETP will + * empty). Note: as per build_conflict_set, which is used to build + * the conflict information, the conflict information includes the + * current user id as the first element of the linked list. + * + * This function registers the binding in the bindings table if it has + * not yet been registered. + */ +static enum tofu_policy +get_policy (ctrl_t ctrl, tofu_dbs_t dbs, PKT_public_key *pk, + const char *fingerprint, const char *user_id, const char *email, + strlist_t *conflict_setp, time_t now) +{ + int rc; + char *err = NULL; + strlist_t results = NULL; + enum tofu_policy policy = _tofu_GET_POLICY_ERROR; + enum tofu_policy effective_policy_orig = TOFU_POLICY_NONE; + enum tofu_policy effective_policy = _tofu_GET_POLICY_ERROR; + long along; + char *conflict_orig = NULL; + char *conflict = NULL; + strlist_t conflict_set = NULL; + int conflict_set_count; + + /* Check if the <FINGERPRINT, EMAIL> binding is known + (TOFU_POLICY_NONE cannot appear in the DB. Thus, if POLICY is + still TOFU_POLICY_NONE after executing the query, then the + result set was empty.) */ + rc = gpgsql_stepx (dbs->db, &dbs->s.get_policy_select_policy_and_conflict, + strings_collect_cb2, &results, &err, + "select policy, conflict, effective_policy from bindings\n" + " where fingerprint = ? and email = ?", + GPGSQL_ARG_STRING, fingerprint, + GPGSQL_ARG_STRING, email, + GPGSQL_ARG_END); + if (rc) + { + log_error (_("error reading TOFU database: %s\n"), err); + print_further_info ("reading the policy"); + sqlite3_free (err); + rc = gpg_error (GPG_ERR_GENERAL); + goto out; + } + + if (strlist_length (results) == 0) + { + /* No results. Use the defaults. */ + policy = TOFU_POLICY_NONE; + effective_policy = TOFU_POLICY_NONE; + } + else if (strlist_length (results) == 3) + { + /* Parse and sanity check the results. */ + + if (string_to_long (&along, results->d, 0, __LINE__)) + { + log_error (_("error reading TOFU database: %s\n"), + gpg_strerror (GPG_ERR_BAD_DATA)); + print_further_info ("bad value for policy: %s", results->d); + goto out; + } + policy = along; + + if (! (policy == TOFU_POLICY_AUTO + || policy == TOFU_POLICY_GOOD + || policy == TOFU_POLICY_UNKNOWN + || policy == TOFU_POLICY_BAD + || policy == TOFU_POLICY_ASK)) + { + log_error (_("error reading TOFU database: %s\n"), + gpg_strerror (GPG_ERR_DB_CORRUPTED)); + print_further_info ("invalid value for policy (%d)", policy); + effective_policy = _tofu_GET_POLICY_ERROR; + goto out; + } + + if (*results->next->d) + conflict = xstrdup (results->next->d); + + if (string_to_long (&along, results->next->next->d, 0, __LINE__)) + { + log_error (_("error reading TOFU database: %s\n"), + gpg_strerror (GPG_ERR_BAD_DATA)); + print_further_info ("bad value for effective policy: %s", + results->next->next->d); + goto out; + } + effective_policy = along; + + if (! (effective_policy == TOFU_POLICY_NONE + || effective_policy == TOFU_POLICY_AUTO + || effective_policy == TOFU_POLICY_GOOD + || effective_policy == TOFU_POLICY_UNKNOWN + || effective_policy == TOFU_POLICY_BAD + || effective_policy == TOFU_POLICY_ASK)) + { + log_error (_("error reading TOFU database: %s\n"), + gpg_strerror (GPG_ERR_DB_CORRUPTED)); + print_further_info ("invalid value for effective_policy (%d)", + effective_policy); + effective_policy = _tofu_GET_POLICY_ERROR; + goto out; + } + } + else + { + /* The result has the wrong form. */ + + log_error (_("error reading TOFU database: %s\n"), + gpg_strerror (GPG_ERR_BAD_DATA)); + print_further_info ("reading policy: expected 3 columns, got %d\n", + strlist_length (results)); + goto out; + } + + /* Save the effective policy and conflict so we know if we changed + * them. */ + effective_policy_orig = effective_policy; + conflict_orig = conflict; + + /* Unless there is a conflict, if the effective policy is cached, + * just return it. The reason we don't do this when there is a + * conflict is because of the following scenario: assume A and B + * conflict and B has signed A's key. Now, later we import A's + * signature on B. We need to recheck A, but the signature was on + * B, i.e., when B changes, we invalidate B's effective policy, but + * we also need to invalidate A's effective policy. Instead, we + * assume that conflicts are rare and don't optimize for them, which + * would complicate the code. */ + if (effective_policy != TOFU_POLICY_NONE && !conflict) + goto out; + + /* If the user explicitly set the policy, then respect that. */ + if (policy != TOFU_POLICY_AUTO && policy != TOFU_POLICY_NONE) + { + effective_policy = policy; + goto out; + } + + /* Unless proven wrong, assume the effective policy is 'auto'. */ + effective_policy = TOFU_POLICY_AUTO; + + /* See if the key is ultimately trusted. */ + { + u32 kid[2]; + + keyid_from_pk (pk, kid); + if (tdb_keyid_is_utk (kid)) + { + effective_policy = TOFU_POLICY_GOOD; + goto out; + } + } + + /* See if the key is signed by an ultimately trusted key. */ + { + int fingerprint_raw_len = strlen (fingerprint) / 2; + char fingerprint_raw[20]; + int len = 0; + + if (fingerprint_raw_len != sizeof fingerprint_raw + || ((len = hex2bin (fingerprint, + fingerprint_raw, fingerprint_raw_len)) + != strlen (fingerprint))) + { + if (DBG_TRUST) + log_debug ("TOFU: Bad fingerprint: %s (len: %zu, parsed: %d)\n", + fingerprint, strlen (fingerprint), len); + } + else + { + int lookup_err; + kbnode_t kb; + + lookup_err = get_pubkey_byfprint (ctrl, NULL, &kb, + fingerprint_raw, + fingerprint_raw_len); + if (lookup_err) + { + if (DBG_TRUST) + log_debug ("TOFU: Looking up %s: %s\n", + fingerprint, gpg_strerror (lookup_err)); + } + else + { + int is_signed_by_utk = signed_by_utk (email, kb); + release_kbnode (kb); + if (is_signed_by_utk) + { + effective_policy = TOFU_POLICY_GOOD; + goto out; + } + } + } + } + + /* Check for any conflicts / see if a previously discovered conflict + * disappeared. The latter can happen if the conflicting bindings + * are now cross signed, for instance. */ + + conflict_set = build_conflict_set (ctrl, dbs, pk, fingerprint, email); + conflict_set_count = strlist_length (conflict_set); + if (conflict_set_count == 0) + { + /* build_conflict_set should always at least return the current + binding. Something went wrong. */ + effective_policy = _tofu_GET_POLICY_ERROR; + goto out; + } + + if (conflict_set_count == 1 + && (conflict_set->flags & BINDING_NEW)) + { + /* We've never observed a binding with this email address and we + * have a default policy, which is not to ask the user. */ + + /* If we've seen this binding, then we've seen this email and + * policy couldn't possibly be TOFU_POLICY_NONE. */ + log_assert (policy == TOFU_POLICY_NONE); + + if (DBG_TRUST) + log_debug ("TOFU: New binding <key: %s, user id: %s>, no conflict.\n", + fingerprint, email); + + effective_policy = TOFU_POLICY_AUTO; + goto out; + } + + if (conflict_set_count == 1 + && (conflict_set->flags & BINDING_CONFLICT)) + { + /* No known conflicts now, but there was a conflict. This means + * at some point, there was a conflict and we changed this + * binding's policy to ask and set the conflicting key. The + * conflict can go away if there is not a cross sig between the + * two keys. In this case, just silently clear the conflict and + * reset the policy to auto. */ + + if (DBG_TRUST) + log_debug ("TOFU: binding <key: %s, user id: %s> had a conflict, but it's been resolved (probably via cross sig).\n", + fingerprint, email); + + effective_policy = TOFU_POLICY_AUTO; + conflict = NULL; + + goto out; + } + + if (conflict_set_count == 1) + { + /* No conflicts and never marked as conflicting. */ + + log_assert (!conflict); + + effective_policy = TOFU_POLICY_AUTO; + + goto out; + } + + /* There is a conflicting key. */ + log_assert (conflict_set_count > 1); + effective_policy = TOFU_POLICY_ASK; + conflict = xstrdup (conflict_set->next->d); + + out: + log_assert (policy == _tofu_GET_POLICY_ERROR + || policy == TOFU_POLICY_NONE + || policy == TOFU_POLICY_AUTO + || policy == TOFU_POLICY_GOOD + || policy == TOFU_POLICY_UNKNOWN + || policy == TOFU_POLICY_BAD + || policy == TOFU_POLICY_ASK); + /* Everything but NONE. */ + log_assert (effective_policy == _tofu_GET_POLICY_ERROR + || effective_policy == TOFU_POLICY_AUTO + || effective_policy == TOFU_POLICY_GOOD + || effective_policy == TOFU_POLICY_UNKNOWN + || effective_policy == TOFU_POLICY_BAD + || effective_policy == TOFU_POLICY_ASK); + + if (effective_policy != TOFU_POLICY_ASK && conflict) + conflict = NULL; + + /* If we don't have a record of this binding, its effective policy + * changed, or conflict changed, update the DB. */ + if (effective_policy != _tofu_GET_POLICY_ERROR + && (/* New binding. */ + policy == TOFU_POLICY_NONE + /* effective_policy changed. */ + || effective_policy != effective_policy_orig + /* conflict changed. */ + || (conflict != conflict_orig + && (!conflict || !conflict_orig + || strcmp (conflict, conflict_orig) != 0)))) + { + if (record_binding (dbs, fingerprint, email, user_id, + policy == TOFU_POLICY_NONE ? TOFU_POLICY_AUTO : policy, + effective_policy, conflict, 1, 0, now) != 0) + log_error ("error setting TOFU binding's policy" + " to %s\n", tofu_policy_str (policy)); + } + + /* If the caller wants the set of conflicts, return it. */ + if (effective_policy == TOFU_POLICY_ASK && conflict_setp) + { + if (! conflict_set) + conflict_set = build_conflict_set (ctrl, dbs, pk, fingerprint, email); + *conflict_setp = conflict_set; + } + else + { + free_strlist (conflict_set); + + if (conflict_setp) + *conflict_setp = NULL; + } + + xfree (conflict_orig); + if (conflict != conflict_orig) + xfree (conflict); + free_strlist (results); + + return effective_policy; +} + + +/* Return the trust level (TRUST_NEVER, etc.) for the binding + * <FINGERPRINT, EMAIL> (email is already normalized). If no policy + * is registered, returns TOFU_POLICY_NONE. If an error occurs, + * returns _tofu_GET_TRUST_ERROR. + * + * PK is the public key object for FINGERPRINT. + * + * USER_ID is the unadulterated user id. + * + * If MAY_ASK is set, then we may interact with the user. This is + * necessary if there is a conflict or the binding's policy is + * TOFU_POLICY_ASK. In the case of a conflict, we set the new + * conflicting binding's policy to TOFU_POLICY_ASK. In either case, + * we return TRUST_UNDEFINED. Note: if MAY_ASK is set, then this + * function must not be called while in a transaction! */ +static enum tofu_policy +get_trust (ctrl_t ctrl, PKT_public_key *pk, + const char *fingerprint, const char *email, + const char *user_id, int may_ask, + enum tofu_policy *policyp, strlist_t *conflict_setp, + time_t now) +{ + tofu_dbs_t dbs = ctrl->tofu.dbs; + int in_transaction = 0; + enum tofu_policy policy; + int rc; + char *sqerr = NULL; + strlist_t conflict_set = NULL; + int trust_level = TRUST_UNKNOWN; + strlist_t iter; + + log_assert (dbs); + + if (may_ask) + log_assert (dbs->in_transaction == 0); + + if (opt.batch) + may_ask = 0; + + log_assert (pk_is_primary (pk)); + + /* Make sure _tofu_GET_TRUST_ERROR isn't equal to any of the trust + levels. */ + log_assert (_tofu_GET_TRUST_ERROR != TRUST_UNKNOWN + && _tofu_GET_TRUST_ERROR != TRUST_EXPIRED + && _tofu_GET_TRUST_ERROR != TRUST_UNDEFINED + && _tofu_GET_TRUST_ERROR != TRUST_NEVER + && _tofu_GET_TRUST_ERROR != TRUST_MARGINAL + && _tofu_GET_TRUST_ERROR != TRUST_FULLY + && _tofu_GET_TRUST_ERROR != TRUST_ULTIMATE); + + begin_transaction (ctrl, 0); + in_transaction = 1; + + /* We need to call get_policy even if the key is ultimately trusted + * to make sure the binding has been registered. */ + policy = get_policy (ctrl, dbs, pk, fingerprint, user_id, email, + &conflict_set, now); + + if (policy == TOFU_POLICY_ASK) + /* The conflict set should always contain at least one element: + * the current key. */ + log_assert (conflict_set); + else + /* If the policy is not TOFU_POLICY_ASK, then conflict_set will be + * NULL. */ + log_assert (! conflict_set); + + /* If the key is ultimately trusted, there is nothing to do. */ + { + u32 kid[2]; + + keyid_from_pk (pk, kid); + if (tdb_keyid_is_utk (kid)) + { + trust_level = TRUST_ULTIMATE; + policy = TOFU_POLICY_GOOD; + goto out; + } + } + + if (policy == TOFU_POLICY_AUTO) + { + policy = opt.tofu_default_policy; + if (DBG_TRUST) + log_debug ("TOFU: binding <key: %s, user id: %s>'s policy is" + " auto (default: %s).\n", + fingerprint, email, + tofu_policy_str (opt.tofu_default_policy)); + + if (policy == TOFU_POLICY_ASK) + /* The default policy is ASK, but there is no conflict (policy + * was 'auto'). In this case, we need to make sure the + * conflict set includes at least the current user id. */ + { + add_to_strlist (&conflict_set, fingerprint); + } + } + switch (policy) + { + case TOFU_POLICY_AUTO: + case TOFU_POLICY_GOOD: + case TOFU_POLICY_UNKNOWN: + case TOFU_POLICY_BAD: + /* The saved judgement is auto -> auto, good, unknown or bad. + * We don't need to ask the user anything. */ + if (DBG_TRUST) + log_debug ("TOFU: Known binding <key: %s, user id: %s>'s policy: %s\n", + fingerprint, email, tofu_policy_str (policy)); + trust_level = tofu_policy_to_trust_level (policy); + goto out; + + case TOFU_POLICY_ASK: + /* We need to ask the user what to do. */ + break; + + case _tofu_GET_POLICY_ERROR: + trust_level = _tofu_GET_TRUST_ERROR; + goto out; + + default: + log_bug ("%s: Impossible value for policy (%d)\n", __func__, policy); + } + + + /* We get here if: + * + * 1. The saved policy is auto and the default policy is ask + * (get_policy() == TOFU_POLICY_AUTO + * && opt.tofu_default_policy == TOFU_POLICY_ASK) + * + * 2. The saved policy is ask (either last time the user selected + * accept once or reject once or there was a conflict and this + * binding's policy was changed from auto to ask) + * (policy == TOFU_POLICY_ASK). + */ + log_assert (policy == TOFU_POLICY_ASK); + + if (may_ask) + { + /* We can't be in a normal transaction in ask_about_binding. */ + end_transaction (ctrl, 0); + in_transaction = 0; + + /* If we get here, we need to ask the user about the binding. */ + ask_about_binding (ctrl, + &policy, + &trust_level, + conflict_set, + fingerprint, + email, + user_id, + now); + } + else + { + trust_level = TRUST_UNDEFINED; + } + + /* Mark any conflicting bindings that have an automatic policy as + * now requiring confirmation. Note: we do this after we ask for + * confirmation so that when the current policy is printed, it is + * correct. */ + if (! in_transaction) + { + begin_transaction (ctrl, 0); + in_transaction = 1; + } + + /* The conflict set should always contain at least one element: + * the current key. */ + log_assert (conflict_set); + + for (iter = conflict_set->next; iter; iter = iter->next) + { + /* We don't immediately set the effective policy to 'ask, + because */ + rc = gpgsql_exec_printf + (dbs->db, NULL, NULL, &sqerr, + "update bindings set effective_policy = %d, conflict = %Q" + " where email = %Q and fingerprint = %Q and effective_policy != %d;", + TOFU_POLICY_NONE, fingerprint, + email, iter->d, TOFU_POLICY_ASK); + if (rc) + { + log_error (_("error changing TOFU policy: %s\n"), sqerr); + print_further_info ("binding: <key: %s, user id: %s>", + fingerprint, user_id); + sqlite3_free (sqerr); + sqerr = NULL; + rc = gpg_error (GPG_ERR_GENERAL); + } + else if (DBG_TRUST) + log_debug ("Set %s to conflict with %s\n", + iter->d, fingerprint); + } + + out: + if (in_transaction) + end_transaction (ctrl, 0); + + if (policyp) + *policyp = policy; + + if (conflict_setp) + *conflict_setp = conflict_set; + else + free_strlist (conflict_set); + + return trust_level; +} + + +/* Return a malloced string of the form + * "7~months" + * The caller should replace all '~' in the returned string by a space + * and also free the returned string. + * + * This is actually a bad hack which may not work correctly with all + * languages. + */ +static char * +time_ago_str (long long int t) +{ + /* It would be nice to use a macro to do this, but gettext + works on the unpreprocessed code. */ +#define MIN_SECS (60) +#define HOUR_SECS (60 * MIN_SECS) +#define DAY_SECS (24 * HOUR_SECS) +#define WEEK_SECS (7 * DAY_SECS) +#define MONTH_SECS (30 * DAY_SECS) +#define YEAR_SECS (365 * DAY_SECS) + + if (t > 2 * YEAR_SECS) + { + long long int c = t / YEAR_SECS; + return xtryasprintf (ngettext("%lld~year", "%lld~years", c), c); + } + if (t > 2 * MONTH_SECS) + { + long long int c = t / MONTH_SECS; + return xtryasprintf (ngettext("%lld~month", "%lld~months", c), c); + } + if (t > 2 * WEEK_SECS) + { + long long int c = t / WEEK_SECS; + return xtryasprintf (ngettext("%lld~week", "%lld~weeks", c), c); + } + if (t > 2 * DAY_SECS) + { + long long int c = t / DAY_SECS; + return xtryasprintf (ngettext("%lld~day", "%lld~days", c), c); + } + if (t > 2 * HOUR_SECS) + { + long long int c = t / HOUR_SECS; + return xtryasprintf (ngettext("%lld~hour", "%lld~hours", c), c); + } + if (t > 2 * MIN_SECS) + { + long long int c = t / MIN_SECS; + return xtryasprintf (ngettext("%lld~minute", "%lld~minutes", c), c); + } + return xtryasprintf (ngettext("%lld~second", "%lld~seconds", t), t); +} + + +/* If FP is NULL, write TOFU_STATS status line. If FP is not NULL + * write a "tfs" record to that stream. */ +static void +write_stats_status (estream_t fp, + enum tofu_policy policy, + unsigned long signature_count, + unsigned long signature_first_seen, + unsigned long signature_most_recent, + unsigned long signature_days, + unsigned long encryption_count, + unsigned long encryption_first_done, + unsigned long encryption_most_recent, + unsigned long encryption_days) +{ + int summary; + int validity; + unsigned long days_sq; + + /* Use the euclidean distance (m = sqrt(a^2 + b^2)) rather then the + sum of the magnitudes (m = a + b) to ensure a balance between + verified signatures and encrypted messages. */ + days_sq = signature_days * signature_days + encryption_days * encryption_days; + + if (days_sq < 1) + validity = 1; /* Key without history. */ + else if (days_sq < (2 * BASIC_TRUST_THRESHOLD) * (2 * BASIC_TRUST_THRESHOLD)) + validity = 2; /* Key with too little history. */ + else if (days_sq < (2 * FULL_TRUST_THRESHOLD) * (2 * FULL_TRUST_THRESHOLD)) + validity = 3; /* Key with enough history for basic trust. */ + else + validity = 4; /* Key with a lot of history. */ + + if (policy == TOFU_POLICY_ASK) + summary = 0; /* Key requires attention. */ + else + summary = validity; + + if (fp) + { + es_fprintf (fp, "tfs:1:%d:%lu:%lu:%s:%lu:%lu:%lu:%lu:%d:%lu:%lu:\n", + summary, signature_count, encryption_count, + tofu_policy_str (policy), + signature_first_seen, signature_most_recent, + encryption_first_done, encryption_most_recent, + validity, signature_days, encryption_days); + } + else + { + write_status_printf (STATUS_TOFU_STATS, + "%d %lu %lu %s %lu %lu %lu %lu %d %lu %lu", + summary, + signature_count, + encryption_count, + tofu_policy_str (policy), + signature_first_seen, + signature_most_recent, + encryption_first_done, + encryption_most_recent, + validity, + signature_days, encryption_days); + } +} + +/* Note: If OUTFP is not NULL, this function merely prints a "tfs" record + * to OUTFP. + * + * POLICY is the key's policy (as returned by get_policy). + * + * Returns 0 if ONLY_STATUS_FD is set. Otherwise, returns whether + * the caller should call show_warning after iterating over all user + * ids. + */ +static int +show_statistics (tofu_dbs_t dbs, + const char *fingerprint, const char *email, + enum tofu_policy policy, + estream_t outfp, int only_status_fd, time_t now) +{ + char *fingerprint_pp; + int rc; + strlist_t strlist = NULL; + char *err = NULL; + + unsigned long signature_first_seen = 0; + unsigned long signature_most_recent = 0; + unsigned long signature_count = 0; + unsigned long signature_days = 0; + unsigned long encryption_first_done = 0; + unsigned long encryption_most_recent = 0; + unsigned long encryption_count = 0; + unsigned long encryption_days = 0; + + int show_warning = 0; + + if (only_status_fd && ! is_status_enabled ()) + return 0; + + fingerprint_pp = format_hexfingerprint (fingerprint, NULL, 0); + + /* Get the signature stats. */ + rc = gpgsql_exec_printf + (dbs->db, strings_collect_cb, &strlist, &err, + "select count (*), coalesce (min (signatures.time), 0),\n" + " coalesce (max (signatures.time), 0)\n" + " from signatures\n" + " left join bindings on signatures.binding = bindings.oid\n" + " where fingerprint = %Q and email = %Q;", + fingerprint, email); + if (rc) + { + log_error (_("error reading TOFU database: %s\n"), err); + print_further_info ("getting signature statistics"); + sqlite3_free (err); + rc = gpg_error (GPG_ERR_GENERAL); + goto out; + } + rc = gpgsql_exec_printf + (dbs->db, strings_collect_cb, &strlist, &err, + "select count (*) from\n" + " (select round(signatures.time / (24 * 60 * 60)) day\n" + " from signatures\n" + " left join bindings on signatures.binding = bindings.oid\n" + " where fingerprint = %Q and email = %Q\n" + " group by day);", + fingerprint, email); + if (rc) + { + log_error (_("error reading TOFU database: %s\n"), err); + print_further_info ("getting signature statistics (by day)"); + sqlite3_free (err); + rc = gpg_error (GPG_ERR_GENERAL); + goto out; + } + + if (strlist) + { + /* We expect exactly 4 elements. */ + log_assert (strlist->next); + log_assert (strlist->next->next); + log_assert (strlist->next->next->next); + log_assert (! strlist->next->next->next->next); + + string_to_ulong (&signature_days, strlist->d, -1, __LINE__); + string_to_ulong (&signature_count, strlist->next->d, -1, __LINE__); + string_to_ulong (&signature_first_seen, + strlist->next->next->d, -1, __LINE__); + string_to_ulong (&signature_most_recent, + strlist->next->next->next->d, -1, __LINE__); + + free_strlist (strlist); + strlist = NULL; + } + + /* Get the encryption stats. */ + rc = gpgsql_exec_printf + (dbs->db, strings_collect_cb, &strlist, &err, + "select count (*), coalesce (min (encryptions.time), 0),\n" + " coalesce (max (encryptions.time), 0)\n" + " from encryptions\n" + " left join bindings on encryptions.binding = bindings.oid\n" + " where fingerprint = %Q and email = %Q;", + fingerprint, email); + if (rc) + { + log_error (_("error reading TOFU database: %s\n"), err); + print_further_info ("getting encryption statistics"); + sqlite3_free (err); + rc = gpg_error (GPG_ERR_GENERAL); + goto out; + } + rc = gpgsql_exec_printf + (dbs->db, strings_collect_cb, &strlist, &err, + "select count (*) from\n" + " (select round(encryptions.time / (24 * 60 * 60)) day\n" + " from encryptions\n" + " left join bindings on encryptions.binding = bindings.oid\n" + " where fingerprint = %Q and email = %Q\n" + " group by day);", + fingerprint, email); + if (rc) + { + log_error (_("error reading TOFU database: %s\n"), err); + print_further_info ("getting encryption statistics (by day)"); + sqlite3_free (err); + rc = gpg_error (GPG_ERR_GENERAL); + goto out; + } + + if (strlist) + { + /* We expect exactly 4 elements. */ + log_assert (strlist->next); + log_assert (strlist->next->next); + log_assert (strlist->next->next->next); + log_assert (! strlist->next->next->next->next); + + string_to_ulong (&encryption_days, strlist->d, -1, __LINE__); + string_to_ulong (&encryption_count, strlist->next->d, -1, __LINE__); + string_to_ulong (&encryption_first_done, + strlist->next->next->d, -1, __LINE__); + string_to_ulong (&encryption_most_recent, + strlist->next->next->next->d, -1, __LINE__); + + free_strlist (strlist); + strlist = NULL; + } + + if (!outfp) + write_status_text_and_buffer (STATUS_TOFU_USER, fingerprint, + email, strlen (email), 0); + + write_stats_status (outfp, policy, + signature_count, + signature_first_seen, + signature_most_recent, + signature_days, + encryption_count, + encryption_first_done, + encryption_most_recent, + encryption_days); + + if (!outfp && !only_status_fd) + { + estream_t fp; + char *msg; + + fp = es_fopenmem (0, "rw,samethread"); + if (! fp) + log_fatal ("error creating memory stream: %s\n", + gpg_strerror (gpg_error_from_syserror())); + + if (signature_count == 0 && encryption_count == 0) + { + es_fprintf (fp, + _("%s: Verified 0~signatures and encrypted 0~messages."), + email); + } + else + { + if (signature_count == 0) + es_fprintf (fp, _("%s: Verified 0 signatures."), email); + else + { + /* Note: Translation not possible with that wording. */ + char *ago_str = time_ago_str (now - signature_first_seen); + es_fprintf + (fp, "%s: Verified %ld~signatures in the past %s.", + email, signature_count, ago_str); + xfree (ago_str); + } + + es_fputs (" ", fp); + + if (encryption_count == 0) + es_fprintf (fp, _("Encrypted 0 messages.")); + else + { + char *ago_str = time_ago_str (now - encryption_first_done); + + /* Note: Translation not possible with this kind of + * composition. */ + es_fprintf (fp, "Encrypted %ld~messages in the past %s.", + encryption_count, ago_str); + xfree (ago_str); + } + } + + if (opt.verbose) + { + es_fputs (" ", fp); + es_fprintf (fp, _("(policy: %s)"), tofu_policy_str (policy)); + } + es_fputs ("\n", fp); + + + { + char *tmpmsg, *p; + es_fputc (0, fp); + if (es_fclose_snatch (fp, (void **) &tmpmsg, NULL)) + log_fatal ("error snatching memory stream\n"); + msg = format_text (tmpmsg, 72, 80); + if (!msg) /* FIXME: Return the error all the way up. */ + log_fatal ("format failed: %s\n", + gpg_strerror (gpg_error_from_syserror())); + es_free (tmpmsg); + + /* Print a status line but suppress the trailing LF. + * Spaces are not percent escaped. */ + if (*msg) + write_status_buffer (STATUS_TOFU_STATS_LONG, + msg, strlen (msg)-1, -1); + + /* Remove the non-breaking space markers. */ + for (p=msg; *p; p++) + if (*p == '~') + *p = ' '; + } + + log_string (GPGRT_LOG_INFO, msg); + xfree (msg); + + if (policy == TOFU_POLICY_AUTO) + { + if (signature_count == 0) + log_info (_("Warning: we have yet to see" + " a message signed using this key and user id!\n")); + else if (signature_count == 1) + log_info (_("Warning: we've only seen one message" + " signed using this key and user id!\n")); + + if (encryption_count == 0) + log_info (_("Warning: you have yet to encrypt" + " a message to this key!\n")); + else if (encryption_count == 1) + log_info (_("Warning: you have only encrypted" + " one message to this key!\n")); + + /* Cf. write_stats_status */ + if ((encryption_count * encryption_count + + signature_count * signature_count) + < ((2 * BASIC_TRUST_THRESHOLD) * (2 * BASIC_TRUST_THRESHOLD))) + show_warning = 1; + } + } + + out: + xfree (fingerprint_pp); + + return show_warning; +} + +static void +show_warning (const char *fingerprint, strlist_t user_id_list) +{ + char *set_policy_command; + char *text; + char *tmpmsg; + + set_policy_command = + xasprintf ("gpg --tofu-policy bad %s", fingerprint); + + tmpmsg = xasprintf + (ngettext + ("Warning: if you think you've seen more signatures " + "by this key and user id, then this key might be a " + "forgery! Carefully examine the email address for small " + "variations. If the key is suspect, then use\n" + " %s\n" + "to mark it as being bad.\n", + "Warning: if you think you've seen more signatures " + "by this key and these user ids, then this key might be a " + "forgery! Carefully examine the email addresses for small " + "variations. If the key is suspect, then use\n" + " %s\n" + "to mark it as being bad.\n", + strlist_length (user_id_list)), + set_policy_command); + + text = format_text (tmpmsg, 72, 80); + if (!text) /* FIXME: Return the error all the way up. */ + log_fatal ("format failed: %s\n", + gpg_strerror (gpg_error_from_syserror())); + xfree (tmpmsg); + log_string (GPGRT_LOG_INFO, text); + xfree (text); + + es_free (set_policy_command); +} + + +/* Extract the email address from a user id and normalize it. If the + user id doesn't contain an email address, then we use the whole + user_id and normalize that. The returned string must be freed. */ +static char * +email_from_user_id (const char *user_id) +{ + char *email = mailbox_from_userid (user_id); + if (! email) + { + /* Hmm, no email address was provided or we are out of core. Just + take the lower-case version of the whole user id. It could be + a hostname, for instance. */ + email = ascii_strlwr (xstrdup (user_id)); + } + + return email; +} + +/* Register the signature with the bindings <fingerprint, USER_ID>, + for each USER_ID in USER_ID_LIST. The fingerprint is taken from + the primary key packet PK. + + SIG_DIGEST_BIN is the binary representation of the message's + digest. SIG_DIGEST_BIN_LEN is its length. + + SIG_TIME is the time that the signature was generated. + + ORIGIN is a free-formed string describing the origin of the + signature. If this was from an email and the Claws MUA was used, + then this should be something like: "email:claws". If this is + NULL, the default is simply "unknown". + + If MAY_ASK is 1, then this function may interact with the user. + This is necessary if there is a conflict or the binding's policy is + TOFU_POLICY_ASK. + + This function returns 0 on success and an error code if an error + occurred. */ +gpg_error_t +tofu_register_signature (ctrl_t ctrl, + PKT_public_key *pk, strlist_t user_id_list, + const byte *sig_digest_bin, int sig_digest_bin_len, + time_t sig_time, const char *origin) +{ + time_t now = gnupg_get_time (); + gpg_error_t rc; + tofu_dbs_t dbs; + char *fingerprint = NULL; + strlist_t user_id; + char *email = NULL; + char *sqlerr = NULL; + char *sig_digest = NULL; + unsigned long c; + + dbs = opendbs (ctrl); + if (! dbs) + { + rc = gpg_error (GPG_ERR_GENERAL); + log_error (_("error opening TOFU database: %s\n"), + gpg_strerror (rc)); + return rc; + } + + /* We do a query and then an insert. Make sure they are atomic + by wrapping them in a transaction. */ + rc = begin_transaction (ctrl, 0); + if (rc) + return rc; + + log_assert (pk_is_primary (pk)); + + sig_digest = make_radix64_string (sig_digest_bin, sig_digest_bin_len); + if (!sig_digest) + { + rc = gpg_error_from_syserror (); + goto leave; + } + fingerprint = hexfingerprint (pk, NULL, 0); + if (!fingerprint) + { + rc = gpg_error_from_syserror (); + goto leave; + } + + if (! origin) + origin = "unknown"; /* The default origin is simply "unknown". */ + + for (user_id = user_id_list; user_id; user_id = user_id->next) + { + email = email_from_user_id (user_id->d); + + if (DBG_TRUST) + log_debug ("TOFU: Registering signature %s with binding" + " <key: %s, user id: %s>\n", + sig_digest, fingerprint, email); + + /* Make sure the binding exists and record any TOFU + conflicts. */ + if (get_trust (ctrl, pk, fingerprint, email, user_id->d, + 0, NULL, NULL, now) + == _tofu_GET_TRUST_ERROR) + { + rc = gpg_error (GPG_ERR_GENERAL); + xfree (email); + break; + } + + /* If we've already seen this signature before, then don't add + it again. */ + rc = gpgsql_stepx + (dbs->db, &dbs->s.register_already_seen, + get_single_unsigned_long_cb2, &c, &sqlerr, + "select count (*)\n" + " from signatures left join bindings\n" + " on signatures.binding = bindings.oid\n" + " where fingerprint = ? and email = ? and sig_time = ?\n" + " and sig_digest = ?", + GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email, + GPGSQL_ARG_LONG_LONG, (long long) sig_time, + GPGSQL_ARG_STRING, sig_digest, + GPGSQL_ARG_END); + if (rc) + { + log_error (_("error reading TOFU database: %s\n"), sqlerr); + print_further_info ("checking existence"); + sqlite3_free (sqlerr); + rc = gpg_error (GPG_ERR_GENERAL); + } + else if (c > 1) + /* Duplicates! This should not happen. In particular, + because <fingerprint, email, sig_time, sig_digest> is the + primary key! */ + log_debug ("SIGNATURES DB contains duplicate records" + " <key: %s, email: %s, time: 0x%lx, sig: %s," + " origin: %s>." + " Please report.\n", + fingerprint, email, (unsigned long) sig_time, + sig_digest, origin); + else if (c == 1) + { + if (DBG_TRUST) + log_debug ("Already observed the signature and binding" + " <key: %s, email: %s, time: 0x%lx, sig: %s," + " origin: %s>\n", + fingerprint, email, (unsigned long) sig_time, + sig_digest, origin); + } + else if (opt.dry_run) + { + log_info ("TOFU database update skipped due to --dry-run\n"); + } + else + /* This is the first time that we've seen this signature and + binding. Record it. */ + { + if (DBG_TRUST) + log_debug ("TOFU: Saving signature" + " <key: %s, user id: %s, sig: %s>\n", + fingerprint, email, sig_digest); + + log_assert (c == 0); + + rc = gpgsql_stepx + (dbs->db, &dbs->s.register_signature, NULL, NULL, &sqlerr, + "insert into signatures\n" + " (binding, sig_digest, origin, sig_time, time)\n" + " values\n" + " ((select oid from bindings\n" + " where fingerprint = ? and email = ?),\n" + " ?, ?, ?, ?);", + GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email, + GPGSQL_ARG_STRING, sig_digest, GPGSQL_ARG_STRING, origin, + GPGSQL_ARG_LONG_LONG, (long long) sig_time, + GPGSQL_ARG_LONG_LONG, (long long) now, + GPGSQL_ARG_END); + if (rc) + { + log_error (_("error updating TOFU database: %s\n"), sqlerr); + print_further_info ("insert signatures"); + sqlite3_free (sqlerr); + rc = gpg_error (GPG_ERR_GENERAL); + } + } + + xfree (email); + + if (rc) + break; + } + + leave: + if (rc) + rollback_transaction (ctrl); + else + rc = end_transaction (ctrl, 0); + + xfree (fingerprint); + xfree (sig_digest); + + return rc; +} + +gpg_error_t +tofu_register_encryption (ctrl_t ctrl, + PKT_public_key *pk, strlist_t user_id_list, + int may_ask) +{ + time_t now = gnupg_get_time (); + gpg_error_t rc = 0; + tofu_dbs_t dbs; + kbnode_t kb = NULL; + int free_user_id_list = 0; + char *fingerprint = NULL; + strlist_t user_id; + char *sqlerr = NULL; + int in_batch = 0; + + dbs = opendbs (ctrl); + if (! dbs) + { + rc = gpg_error (GPG_ERR_GENERAL); + log_error (_("error opening TOFU database: %s\n"), + gpg_strerror (rc)); + return rc; + } + + if (/* We need the key block to find the primary key. */ + ! pk_is_primary (pk) + /* We need the key block to find all user ids. */ + || ! user_id_list) + kb = get_pubkeyblock (ctrl, pk->keyid); + + /* Make sure PK is a primary key. */ + if (! pk_is_primary (pk)) + pk = kb->pkt->pkt.public_key; + + if (! user_id_list) + { + /* Use all non-revoked user ids. Do use expired user ids. */ + kbnode_t n = kb; + + while ((n = find_next_kbnode (n, PKT_USER_ID))) + { + PKT_user_id *uid = n->pkt->pkt.user_id; + + if (uid->flags.revoked) + continue; + + add_to_strlist (&user_id_list, uid->name); + } + + free_user_id_list = 1; + + if (! user_id_list) + log_info (_("WARNING: Encrypting to %s, which has no " + "non-revoked user ids\n"), + keystr (pk->keyid)); + } + + fingerprint = hexfingerprint (pk, NULL, 0); + if (!fingerprint) + { + rc = gpg_error_from_syserror (); + goto leave; + } + + tofu_begin_batch_update (ctrl); + in_batch = 1; + tofu_resume_batch_transaction (ctrl); + + for (user_id = user_id_list; user_id; user_id = user_id->next) + { + char *email = email_from_user_id (user_id->d); + strlist_t conflict_set = NULL; + enum tofu_policy policy; + + /* Make sure the binding exists and that we recognize any + conflicts. */ + int tl = get_trust (ctrl, pk, fingerprint, email, user_id->d, + may_ask, &policy, &conflict_set, now); + if (tl == _tofu_GET_TRUST_ERROR) + { + /* An error. */ + rc = gpg_error (GPG_ERR_GENERAL); + xfree (email); + goto leave; + } + + + /* If there is a conflict and MAY_ASK is true, we need to show + * the TOFU statistics for the current binding and the + * conflicting bindings. But, if we are not in batch mode, then + * they have already been printed (this is required to make sure + * the information is available to the caller before cpr_get is + * called). */ + if (policy == TOFU_POLICY_ASK && may_ask && opt.batch) + { + strlist_t iter; + + /* The conflict set should contain at least the current + * key. */ + log_assert (conflict_set); + + for (iter = conflict_set; iter; iter = iter->next) + show_statistics (dbs, iter->d, email, + TOFU_POLICY_ASK, NULL, 1, now); + } + + free_strlist (conflict_set); + + rc = gpgsql_stepx + (dbs->db, &dbs->s.register_encryption, NULL, NULL, &sqlerr, + "insert into encryptions\n" + " (binding, time)\n" + " values\n" + " ((select oid from bindings\n" + " where fingerprint = ? and email = ?),\n" + " ?);", + GPGSQL_ARG_STRING, fingerprint, GPGSQL_ARG_STRING, email, + GPGSQL_ARG_LONG_LONG, (long long) now, + GPGSQL_ARG_END); + if (rc) + { + log_error (_("error updating TOFU database: %s\n"), sqlerr); + print_further_info ("insert encryption"); + sqlite3_free (sqlerr); + rc = gpg_error (GPG_ERR_GENERAL); + } + + xfree (email); + } + + leave: + if (in_batch) + tofu_end_batch_update (ctrl); + + release_kbnode (kb); + if (free_user_id_list) + free_strlist (user_id_list); + xfree (fingerprint); + + return rc; +} + + +/* Combine a trust level returned from the TOFU trust model with a + trust level returned by the PGP trust model. This is primarily of + interest when the trust model is tofu+pgp (TM_TOFU_PGP). + + This function ors together the upper bits (the values not covered + by TRUST_MASK, i.e., TRUST_FLAG_REVOKED, etc.). */ +int +tofu_wot_trust_combine (int tofu_base, int wot_base) +{ + int tofu = tofu_base & TRUST_MASK; + int wot = wot_base & TRUST_MASK; + int upper = (tofu_base & ~TRUST_MASK) | (wot_base & ~TRUST_MASK); + + log_assert (tofu == TRUST_UNKNOWN + || tofu == TRUST_EXPIRED + || tofu == TRUST_UNDEFINED + || tofu == TRUST_NEVER + || tofu == TRUST_MARGINAL + || tofu == TRUST_FULLY + || tofu == TRUST_ULTIMATE); + log_assert (wot == TRUST_UNKNOWN + || wot == TRUST_EXPIRED + || wot == TRUST_UNDEFINED + || wot == TRUST_NEVER + || wot == TRUST_MARGINAL + || wot == TRUST_FULLY + || wot == TRUST_ULTIMATE); + + /* We first consider negative trust policys. These trump positive + trust policies. */ + if (tofu == TRUST_NEVER || wot == TRUST_NEVER) + /* TRUST_NEVER trumps everything else. */ + return upper | TRUST_NEVER; + if (tofu == TRUST_EXPIRED || wot == TRUST_EXPIRED) + /* TRUST_EXPIRED trumps everything but TRUST_NEVER. */ + return upper | TRUST_EXPIRED; + + /* Now we only have positive or neutral trust policies. We take + the max. */ + if (tofu == TRUST_ULTIMATE) + return upper | TRUST_ULTIMATE | TRUST_FLAG_TOFU_BASED; + if (wot == TRUST_ULTIMATE) + return upper | TRUST_ULTIMATE; + + if (tofu == TRUST_FULLY) + return upper | TRUST_FULLY | TRUST_FLAG_TOFU_BASED; + if (wot == TRUST_FULLY) + return upper | TRUST_FULLY; + + if (tofu == TRUST_MARGINAL) + return upper | TRUST_MARGINAL | TRUST_FLAG_TOFU_BASED; + if (wot == TRUST_MARGINAL) + return upper | TRUST_MARGINAL; + + if (tofu == TRUST_UNDEFINED) + return upper | TRUST_UNDEFINED | TRUST_FLAG_TOFU_BASED; + if (wot == TRUST_UNDEFINED) + return upper | TRUST_UNDEFINED; + + return upper | TRUST_UNKNOWN; +} + + +/* Write a "tfs" record for a --with-colons listing. */ +gpg_error_t +tofu_write_tfs_record (ctrl_t ctrl, estream_t fp, + PKT_public_key *pk, const char *user_id) +{ + time_t now = gnupg_get_time (); + gpg_error_t err = 0; + tofu_dbs_t dbs; + char *fingerprint; + char *email = NULL; + enum tofu_policy policy; + + if (!*user_id) + return 0; /* No TOFU stats possible for an empty ID. */ + + dbs = opendbs (ctrl); + if (!dbs) + { + err = gpg_error (GPG_ERR_GENERAL); + log_error (_("error opening TOFU database: %s\n"), gpg_strerror (err)); + return err; + } + + fingerprint = hexfingerprint (pk, NULL, 0); + if (!fingerprint) + { + err = gpg_error_from_syserror (); + goto leave; + } + email = email_from_user_id (user_id); + policy = get_policy (ctrl, dbs, pk, fingerprint, user_id, email, NULL, now); + + show_statistics (dbs, fingerprint, email, policy, fp, 0, now); + + leave: + xfree (email); + xfree (fingerprint); + return err; +} + + +/* Return the validity (TRUST_NEVER, etc.) of the bindings + <FINGERPRINT, USER_ID>, for each USER_ID in USER_ID_LIST. If + USER_ID_LIST->FLAG is set, then the id is considered to be expired. + + PK is the primary key packet. + + If MAY_ASK is 1 and the policy is TOFU_POLICY_ASK, then the user + will be prompted to choose a policy. If MAY_ASK is 0 and the + policy is TOFU_POLICY_ASK, then TRUST_UNKNOWN is returned. + + Returns TRUST_UNDEFINED if an error occurs. + + Fixme: eturn an error code + */ +int +tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list, + int may_ask) +{ + time_t now = gnupg_get_time (); + tofu_dbs_t dbs; + char *fingerprint = NULL; + strlist_t user_id; + int trust_level = TRUST_UNKNOWN; + int bindings = 0; + int bindings_valid = 0; + int need_warning = 0; + int had_conflict = 0; + + dbs = opendbs (ctrl); + if (! dbs) + { + log_error (_("error opening TOFU database: %s\n"), + gpg_strerror (GPG_ERR_GENERAL)); + return TRUST_UNDEFINED; + } + + fingerprint = hexfingerprint (pk, NULL, 0); + if (!fingerprint) + log_fatal ("%s: malloc failed\n", __func__); + + tofu_begin_batch_update (ctrl); + /* Start the batch transaction now. */ + tofu_resume_batch_transaction (ctrl); + + for (user_id = user_id_list; user_id; user_id = user_id->next, bindings ++) + { + char *email = email_from_user_id (user_id->d); + strlist_t conflict_set = NULL; + enum tofu_policy policy; + + /* Always call get_trust to make sure the binding is + registered. */ + int tl = get_trust (ctrl, pk, fingerprint, email, user_id->d, + may_ask, &policy, &conflict_set, now); + if (tl == _tofu_GET_TRUST_ERROR) + { + /* An error. */ + trust_level = TRUST_UNDEFINED; + xfree (email); + goto die; + } + + if (DBG_TRUST) + log_debug ("TOFU: validity for <key: %s, user id: %s>: %s%s.\n", + fingerprint, email, + trust_value_to_string (tl), + user_id->flags ? " (but expired)" : ""); + + if (user_id->flags) + tl = TRUST_EXPIRED; + + if (tl != TRUST_EXPIRED) + bindings_valid ++; + + if (may_ask && tl != TRUST_ULTIMATE && tl != TRUST_EXPIRED) + { + /* If policy is ask, then we already printed out the + * conflict information in ask_about_binding or will do so + * in a moment. */ + if (policy != TOFU_POLICY_ASK) + need_warning |= + show_statistics (dbs, fingerprint, email, policy, NULL, 0, now); + + /* If there is a conflict and MAY_ASK is true, we need to + * show the TOFU statistics for the current binding and the + * conflicting bindings. But, if we are not in batch mode, + * then they have already been printed (this is required to + * make sure the information is available to the caller + * before cpr_get is called). */ + if (policy == TOFU_POLICY_ASK && opt.batch) + { + strlist_t iter; + + /* The conflict set should contain at least the current + * key. */ + log_assert (conflict_set); + + had_conflict = 1; + for (iter = conflict_set; iter; iter = iter->next) + show_statistics (dbs, iter->d, email, + TOFU_POLICY_ASK, NULL, 1, now); + } + } + + free_strlist (conflict_set); + + if (tl == TRUST_NEVER) + trust_level = TRUST_NEVER; + else if (tl == TRUST_EXPIRED) + /* Ignore expired bindings in the trust calculation. */ + ; + else if (tl > trust_level) + { + /* The expected values: */ + log_assert (tl == TRUST_UNKNOWN || tl == TRUST_UNDEFINED + || tl == TRUST_MARGINAL || tl == TRUST_FULLY + || tl == TRUST_ULTIMATE); + + /* We assume the following ordering: */ + log_assert (TRUST_UNKNOWN < TRUST_UNDEFINED); + log_assert (TRUST_UNDEFINED < TRUST_MARGINAL); + log_assert (TRUST_MARGINAL < TRUST_FULLY); + log_assert (TRUST_FULLY < TRUST_ULTIMATE); + + trust_level = tl; + } + + xfree (email); + } + + if (need_warning && ! had_conflict) + show_warning (fingerprint, user_id_list); + + die: + tofu_end_batch_update (ctrl); + + xfree (fingerprint); + + if (bindings_valid == 0) + { + if (DBG_TRUST) + log_debug ("no (of %d) valid bindings." + " Can't get TOFU validity for this set of user ids.\n", + bindings); + return TRUST_NEVER; + } + + return trust_level; +} + +/* Set the policy for all non-revoked user ids in the keyblock KB to + POLICY. + + If no key is available with the specified key id, then this + function returns GPG_ERR_NO_PUBKEY. + + Returns 0 on success and an error code otherwise. */ +gpg_error_t +tofu_set_policy (ctrl_t ctrl, kbnode_t kb, enum tofu_policy policy) +{ + gpg_error_t err = 0; + time_t now = gnupg_get_time (); + tofu_dbs_t dbs; + PKT_public_key *pk; + char *fingerprint = NULL; + + log_assert (kb->pkt->pkttype == PKT_PUBLIC_KEY); + pk = kb->pkt->pkt.public_key; + + dbs = opendbs (ctrl); + if (! dbs) + { + log_error (_("error opening TOFU database: %s\n"), + gpg_strerror (GPG_ERR_GENERAL)); + return gpg_error (GPG_ERR_GENERAL); + } + + if (DBG_TRUST) + log_debug ("Setting TOFU policy for %s to %s\n", + keystr (pk->keyid), tofu_policy_str (policy)); + if (! pk_is_primary (pk)) + log_bug ("%s: Passed a subkey, but expecting a primary key.\n", __func__); + + fingerprint = hexfingerprint (pk, NULL, 0); + if (!fingerprint) + return gpg_error_from_syserror (); + + begin_transaction (ctrl, 0); + + for (; kb; kb = kb->next) + { + PKT_user_id *user_id; + char *email; + + if (kb->pkt->pkttype != PKT_USER_ID) + continue; + + user_id = kb->pkt->pkt.user_id; + if (user_id->flags.revoked) + /* Skip revoked user ids. (Don't skip expired user ids, the + expiry can be changed.) */ + continue; + + email = email_from_user_id (user_id->name); + + err = record_binding (dbs, fingerprint, email, user_id->name, + policy, TOFU_POLICY_NONE, NULL, 0, 1, now); + if (err) + { + log_error ("error setting policy for key %s, user id \"%s\": %s", + fingerprint, email, gpg_strerror (err)); + xfree (email); + break; + } + + xfree (email); + } + + if (err) + rollback_transaction (ctrl); + else + end_transaction (ctrl, 0); + + xfree (fingerprint); + return err; +} + +/* Return the TOFU policy for the specified binding in *POLICY. If no + policy has been set for the binding, sets *POLICY to + TOFU_POLICY_NONE. + + PK is a primary public key and USER_ID is a user id. + + Returns 0 on success and an error code otherwise. */ +gpg_error_t +tofu_get_policy (ctrl_t ctrl, PKT_public_key *pk, PKT_user_id *user_id, + enum tofu_policy *policy) +{ + time_t now = gnupg_get_time (); + tofu_dbs_t dbs; + char *fingerprint; + char *email; + + /* Make sure PK is a primary key. */ + log_assert (pk_is_primary (pk)); + + dbs = opendbs (ctrl); + if (! dbs) + { + log_error (_("error opening TOFU database: %s\n"), + gpg_strerror (GPG_ERR_GENERAL)); + return gpg_error (GPG_ERR_GENERAL); + } + + fingerprint = hexfingerprint (pk, NULL, 0); + if (!fingerprint) + return gpg_error_from_syserror (); + + email = email_from_user_id (user_id->name); + + *policy = get_policy (ctrl, dbs, pk, fingerprint, + user_id->name, email, NULL, now); + + xfree (email); + xfree (fingerprint); + if (*policy == _tofu_GET_POLICY_ERROR) + return gpg_error (GPG_ERR_GENERAL); + return 0; +} + +gpg_error_t +tofu_notice_key_changed (ctrl_t ctrl, kbnode_t kb) +{ + tofu_dbs_t dbs; + PKT_public_key *pk; + char *fingerprint; + char *sqlerr = NULL; + int rc; + + /* Make sure PK is a primary key. */ + setup_main_keyids (kb); + pk = kb->pkt->pkt.public_key; + log_assert (pk_is_primary (pk)); + + dbs = opendbs (ctrl); + if (! dbs) + { + log_error (_("error opening TOFU database: %s\n"), + gpg_strerror (GPG_ERR_GENERAL)); + return gpg_error (GPG_ERR_GENERAL); + } + + fingerprint = hexfingerprint (pk, NULL, 0); + if (!fingerprint) + return gpg_error_from_syserror (); + + rc = gpgsql_stepx (dbs->db, NULL, NULL, NULL, &sqlerr, + "update bindings set effective_policy = ?" + " where fingerprint = ?;", + GPGSQL_ARG_INT, (int) TOFU_POLICY_NONE, + GPGSQL_ARG_STRING, fingerprint, + GPGSQL_ARG_END); + xfree (fingerprint); + + if (rc == _tofu_GET_POLICY_ERROR) + return gpg_error (GPG_ERR_GENERAL); + return 0; +} |