You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
pEpEngine/src/keymanagement.c

2271 lines
76 KiB

2 years ago
/**
* @file keymanagement.c
* @brief Implementation of functions to manage keys
* (and identities when in relation to keys)
* @license GNU General Public License 3.0 - see LICENSE.txt
*/
#include "platform.h"
9 years ago
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <ctype.h>
9 years ago
8 years ago
#include "pEp_internal.h"
9 years ago
#include "keymanagement.h"
#include "keymanagement_internal.h"
#include "KeySync_fsm.h"
9 years ago
static bool key_matches_address(PEP_SESSION session, const char* address,
const char* fpr) {
if (!session || !address || !fpr)
return false;
bool retval = false;
stringlist_t *keylist = NULL;
PEP_STATUS status = find_keys(session, address, &keylist);
if (status == PEP_STATUS_OK && keylist) {
stringlist_t* curr = keylist;
while (curr) {
if (curr->value) {
if (strcasecmp(curr->value, fpr)) {
retval = true;
break;
}
}
curr = curr->next;
}
}
free_stringlist(keylist);
return retval;
}
// own_must_contain_private is usually true when calling;
// we only set it to false when we have the idea of
// possibly having an own pubkey that we need to check on its own
// N.B. Checked for PASSPHRASE errors - will now return them always
// False value of "renew_private" prevents their possibility, though.
PEP_STATUS validate_fpr(PEP_SESSION session,
pEp_identity* ident,
bool own_must_contain_private,
bool renew_private) {
PEP_STATUS status = PEP_STATUS_OK;
if (!session || !ident || !ident->fpr || !ident->fpr[0])
return PEP_ILLEGAL_VALUE;
char* fpr = ident->fpr;
bool has_private = false;
status = contains_priv_key(session, fpr, &has_private);
// N.B. Will not contain PEP_PASSPHRASE related returns here
if (ident->me && own_must_contain_private) {
if (status != PEP_STATUS_OK || !has_private)
return PEP_KEY_UNSUITABLE;
}
else if (status != PEP_STATUS_OK && has_private) // should never happen
has_private = false;
ident->comm_type = PEP_ct_unknown;
status = get_trust(session, ident);
if (status != PEP_STATUS_OK)
ident->comm_type = PEP_ct_unknown;
PEP_comm_type ct = ident->comm_type;
9 years ago
if (ct == PEP_ct_unknown) {
// If status is bad, it's ok, we get the rating
// we should use then (PEP_ct_unknown).
// Only one we really care about here is PEP_OUT_OF_MEMORY
status = get_key_rating(session, fpr, &ct);
if (status == PEP_OUT_OF_MEMORY)
return PEP_OUT_OF_MEMORY;
ident->comm_type = ct;
}
else if (ct == PEP_ct_key_expired || ct == PEP_ct_key_expired_but_confirmed) {
PEP_comm_type ct_expire_check = PEP_ct_unknown;
status = get_key_rating(session, fpr, &ct_expire_check);
if (status == PEP_OUT_OF_MEMORY)
return PEP_OUT_OF_MEMORY;
if (ct_expire_check >= PEP_ct_strong_but_unconfirmed) {
ident->comm_type = ct_expire_check;
if (ct == PEP_ct_key_expired_but_confirmed)
ident->comm_type |= PEP_ct_confirmed;
ct = ident->comm_type;
// We need to fix this trust in the DB.
status = set_trust(session, ident);
}
}
5 years ago
bool pEp_user = false;
status = is_pEp_user(session, ident, &pEp_user);
if (status == PEP_OUT_OF_MEMORY)
return PEP_OUT_OF_MEMORY;
5 years ago
if (pEp_user) {
switch (ct) {
case PEP_ct_OpenPGP:
case PEP_ct_OpenPGP_unconfirmed:
ct += 0x47; // difference between PEP and OpenPGP values;
ident->comm_type = ct;
break;
default:
break;
}
}
bool revoked, expired;
// Should not need to decrypt key material
status = key_revoked(session, fpr, &revoked);
if (status != PEP_STATUS_OK) {
return status;
}
if (!revoked) {
time_t exp_time = (ident->me ?
time(NULL) + (7*24*3600) : time(NULL));
// Should not need to decrypt key material
status = key_expired(session, fpr,
exp_time,
&expired);
assert(status == PEP_STATUS_OK);
if (status != PEP_STATUS_OK)
return status;
9 years ago
}
// Renew key if it's expired, our own, has a private part,
// isn't too weak, and we didn't say "DON'T DO THIS"
if (renew_private && ident->me && has_private &&
(ct >= PEP_ct_strong_but_unconfirmed) &&
!revoked && expired) {
// extend key
timestamp *ts = new_timestamp(time(NULL) + KEY_EXPIRE_DELTA);
status = renew_key(session, fpr, ts);
free_timestamp(ts);
8 years ago
if (status == PEP_PASSPHRASE_REQUIRED || status == PEP_WRONG_PASSPHRASE)
return status;
if (status == PEP_STATUS_OK) {
// if key is valid (second check because pEp key might be extended above)
// Return fpr
status = key_expired(session, fpr, time(NULL), &expired);
if (status != PEP_STATUS_OK)
return status;
if (expired) {
if (ident->comm_type & PEP_ct_confirmed || (ident->comm_type == PEP_ct_key_expired_but_confirmed))
ident->comm_type = PEP_ct_key_expired_but_confirmed;
else
ident->comm_type = PEP_ct_key_expired;
return status;
}
// communicate key(?)
}
7 years ago
}
if (revoked)
ct = PEP_ct_key_revoked;
else if (expired) {
if (ident->comm_type & PEP_ct_confirmed || (ident->comm_type == PEP_ct_key_expired_but_confirmed))
ct = PEP_ct_key_expired_but_confirmed;
else
ct = PEP_ct_key_expired;
}
switch (ct) {
case PEP_ct_key_revoked:
case PEP_ct_key_b0rken:
// delete key from being default key for all users/identities
status = remove_fpr_as_default(session, fpr);
// fallthrough intentional!
case PEP_ct_key_expired:
case PEP_ct_key_expired_but_confirmed:
// Note: we no longer remove expired keys as defaults; pEp users
// will either send us an updated key or a key reset, and OpenPGP
// users can either do the same or request a manual key reset.
// We don't want to upset the automated updating of expired keys.
status = update_trust_for_fpr(session,
fpr,
ct);
case PEP_ct_mistrusted:
free(ident->fpr);
ident->fpr = NULL;
ident->comm_type = ct;
status = PEP_KEY_UNSUITABLE;
default:
break;
}
return status;
}
7 years ago
PEP_STATUS get_all_keys_for_user(PEP_SESSION session,
const char* user_id,
stringlist_t** keys) {
if (!session || EMPTYSTR(user_id) || !keys)
return PEP_ILLEGAL_VALUE;
PEP_STATUS status = PEP_STATUS_OK;
*keys = NULL;
stringlist_t* _kl = NULL;
sqlite3_reset(session->get_all_keys_for_user);
sqlite3_bind_text(session->get_all_keys_for_user, 1, user_id, -1, SQLITE_STATIC);
int result = -1;
3 years ago
while ((result = sqlite3_step(session->get_all_keys_for_user)) == SQLITE_ROW) {
const char* keyres = (const char *) sqlite3_column_text(session->get_all_keys_for_user, 0);
if (keyres) {
if (_kl)
stringlist_add(_kl, keyres);
else
_kl = new_stringlist(keyres);
}
}
if (!_kl)
return PEP_KEY_NOT_FOUND;
*keys = _kl;
sqlite3_reset(session->get_all_keys_for_user);
return status;
}
PEP_STATUS get_user_default_key(PEP_SESSION session, const char* user_id,
char** default_key) {
assert(session);
assert(user_id);
if (!session || !user_id)
return PEP_ILLEGAL_VALUE;
PEP_STATUS status = PEP_STATUS_OK;
// try to get default key for user_data
sqlite3_reset(session->get_user_default_key);
sqlite3_bind_text(session->get_user_default_key, 1, user_id,
-1, SQLITE_STATIC);
3 years ago
const int result = sqlite3_step(session->get_user_default_key);
char* user_fpr = NULL;
if (result == SQLITE_ROW) {
const char* u_fpr =
(char *) sqlite3_column_text(session->get_user_default_key, 0);
if (u_fpr)
user_fpr = strdup(u_fpr);
}
else
status = PEP_GET_KEY_FAILED;
sqlite3_reset(session->get_user_default_key);
*default_key = user_fpr;
return status;
}
// Only call on retrieval of previously stored identity!
// Also, we presume that if the stored_identity was sent in
// without an fpr, there wasn't one in the trust DB for this
// identity.
//
// Will now NOT return passphrase errors, as we tell
// validate_fpr NOT to renew it. And we specifically suppress them
// with "PEP_KEY_UNSUITABLE"
//
PEP_STATUS get_valid_pubkey(PEP_SESSION session,
pEp_identity* stored_identity,
bool* is_identity_default,
bool* is_user_default,
bool* is_address_default) {
if (!session)
return PEP_ILLEGAL_VALUE;
PEP_STATUS status = PEP_STATUS_OK;
if (!stored_identity || EMPTYSTR(stored_identity->user_id)
|| !is_identity_default || !is_user_default || !is_address_default)
return PEP_ILLEGAL_VALUE;
*is_identity_default = *is_user_default = *is_address_default = false;
PEP_comm_type first_reject_comm_type = PEP_ct_key_not_found;
PEP_STATUS first_reject_status = PEP_KEY_NOT_FOUND;
char* stored_fpr = stored_identity->fpr;
// Input: stored identity retrieved from database
// if stored identity contains a default key; if so, we return from here
if (!EMPTYSTR(stored_fpr)) {
// Won't ask for passphrase, won't return PASSPHRASE status
// Because of non-renewal
status = validate_fpr(session, stored_identity, true, false);
switch (status) {
case PEP_STATUS_OK:
if (!EMPTYSTR(stored_identity->fpr)) {
*is_identity_default = *is_address_default = true;
return status;
}
break;
case PEP_KEY_NOT_FOUND:
break;
default:
first_reject_status = status;
first_reject_comm_type = stored_identity->comm_type;
}
}
// if no valid default stored identity key found
free(stored_identity->fpr);
stored_identity->fpr = NULL;
char* user_fpr = NULL;
status = get_user_default_key(session, stored_identity->user_id, &user_fpr);
if (!EMPTYSTR(user_fpr)) {
// There exists a default key for user, so validate
stored_identity->fpr = user_fpr;
// Won't ask for passphrase, won't return PASSPHRASE status
// Because of non-renewal
status = validate_fpr(session, stored_identity, true, false);
switch (status) {
case PEP_STATUS_OK:
if (!EMPTYSTR(stored_identity->fpr)) {
*is_user_default = true;
*is_address_default = key_matches_address(session,
stored_identity->address,
stored_identity->fpr);
return status;
}
break;
case PEP_KEY_NOT_FOUND:
break;
default:
if (first_reject_status != PEP_KEY_NOT_FOUND) {
first_reject_status = status;
first_reject_comm_type = stored_identity->comm_type;
}
}
}
// If we got here, there's no usable default.
switch (first_reject_comm_type) {
case PEP_ct_key_revoked:
case PEP_ct_key_b0rken:
case PEP_ct_key_expired:
case PEP_ct_key_expired_but_confirmed:
case PEP_ct_compromised:
case PEP_ct_mistrusted:
// this only happens when it's all there is
status = first_reject_status;
free(stored_identity->fpr);
stored_identity->fpr = NULL;
stored_identity->comm_type = first_reject_comm_type;
break;
default:
break;
}
// should never happen, but we will MAKE sure
if (PASS_ERROR(status))
status = PEP_KEY_UNSUITABLE; // renew it on your own time, baby
return status;
}
9 years ago
/**
* @internal
*
* <!-- transfer_ident_lang_and_flags() -->
*
* @brief TODO
*
* @param[in] *new_ident pEp_identity
* @param[in] *stored_ident pEp_identity
*
*/
static void transfer_ident_lang_and_flags(pEp_identity* new_ident,
pEp_identity* stored_ident) {
if (!(new_ident && stored_ident))
return;
if (new_ident->lang[0] == 0) {
new_ident->lang[0] = stored_ident->lang[0];
new_ident->lang[1] = stored_ident->lang[1];
new_ident->lang[2] = 0;
}
new_ident->flags = stored_ident->flags;
new_ident->me = new_ident->me || stored_ident->me;
}
/**
* @internal
*
* <!-- adjust_pEp_trust_status() -->
*
* @brief TODO
*
* @param[in] session session handle
* @param[in] *identity pEp_identity
*
*/
5 years ago
static void adjust_pEp_trust_status(PEP_SESSION session, pEp_identity* identity) {
assert(session);
assert(identity);
if (!session || !identity ||
identity->comm_type < PEP_ct_strong_but_unconfirmed ||
((identity->comm_type | PEP_ct_confirmed) == PEP_ct_pEp) )
return;
5 years ago
bool pEp_user;
5 years ago
is_pEp_user(session, identity, &pEp_user);
5 years ago
if (pEp_user) {
PEP_comm_type confirmation_status = identity->comm_type & PEP_ct_confirmed;
identity->comm_type = PEP_ct_pEp_unconfirmed | confirmation_status;
if (identity->major_ver == 0) {
identity->major_ver = 2;
identity->minor_ver = 1;
}
}
}
// NEVER called on an own identity.
// But we also make sure get_valid_pubkey
// and friends NEVER return with a password error.
// (get_valid_pubkey tells validate_fpr not to try renewal)
// Will not return PASSPHRASE errors.
/**
* @internal
*
* <!-- prepare_updated_identity() -->
*
* @brief TODO
*
* @param[in] session session handle
* @param[in] *return_id pEp_identity
* @param[in] *stored_ident pEp_identity
* @param[in] store bool
*
2 years ago
* @retval PEP_STATUS_OK
* @retval PEP_ILLEGAL_VALUE illegal parameter values
* @retval any other value on error
*/
static PEP_STATUS prepare_updated_identity(PEP_SESSION session,
pEp_identity* return_id,
pEp_identity* stored_ident,
bool store) {
if (!session || !return_id || !stored_ident)
return PEP_ILLEGAL_VALUE;
PEP_STATUS status;
bool is_identity_default, is_user_default, is_address_default;
bool no_stored_default = EMPTYSTR(stored_ident->fpr);
status = get_valid_pubkey(session, stored_ident,
&is_identity_default,
&is_user_default,
&is_address_default);
bool is_pEp = false;
switch (status) {
// FIXME: can we get memory or DB errors from the above? If so, handle it.
case PEP_STATUS_OK:
if (!EMPTYSTR(stored_ident->fpr)) {
// set identity comm_type from trust db (user_id, FPR)
status = get_trust(session, stored_ident);
PEP_comm_type ct = stored_ident->comm_type;
if (status == PEP_CANNOT_FIND_IDENTITY || ct == PEP_ct_unknown || ct == PEP_ct_key_not_found) {
// This is OK - there is no trust DB entry, but we
// found a key. We won't store this, but we'll
// use it.
ct = PEP_ct_unknown;
status = get_key_rating(session, stored_ident->fpr, &ct);
stored_ident->comm_type = (ct == PEP_ct_unknown ? PEP_ct_key_not_found : ct);
}
}
else if (stored_ident->comm_type == PEP_ct_unknown)
stored_ident->comm_type = PEP_ct_key_not_found;
break;
case PEP_KEY_UNSUITABLE:
status = PEP_STATUS_OK;
// explicit fallthrough
default:
is_pEp_user(session, stored_ident, &is_pEp);
if (is_pEp) {
switch (stored_ident->comm_type) {
case PEP_ct_key_expired:
case PEP_ct_key_expired_but_confirmed:
store = false;
break;
default:
break;
}
}
free(stored_ident->fpr);
stored_ident->fpr = NULL;
stored_ident->comm_type = PEP_ct_key_not_found;
}
free(return_id->fpr);
return_id->fpr = NULL;
if (status == PEP_STATUS_OK && !EMPTYSTR(stored_ident->fpr))
return_id->fpr = strdup(stored_ident->fpr);
return_id->comm_type = stored_ident->comm_type;
// We patch the DB with the input username, but if we didn't have
// one, we pull it out of storage if available.
if (!EMPTYSTR(stored_ident->username)) {
if (!EMPTYSTR(return_id->username) &&
(strcasecmp(return_id->username, return_id->address) == 0)) {
free(return_id->username);
return_id->username = NULL;
}
if (EMPTYSTR(return_id->username)) {
free(return_id->username);
return_id->username = strdup(stored_ident->username);
}
}
else {
if (EMPTYSTR(return_id->username))
return_id->username = strdup(return_id->address);
}
return_id->me = stored_ident->me;
return_id->major_ver = stored_ident->major_ver;
return_id->minor_ver = stored_ident->minor_ver;
// FIXME: Do we ALWAYS do this? We probably should...
if (EMPTYSTR(return_id->user_id)) {
free(return_id->user_id);
return_id->user_id = strdup(stored_ident->user_id);
}
5 years ago
adjust_pEp_trust_status(session, return_id);
// Call set_identity() to store
if (store && (is_identity_default || is_user_default) &&
is_address_default) {
// if we got an fpr which is default for either user
// or identity AND is valid for this address, set in DB
// as default
status = set_identity(session, return_id);
}
else if (store && no_stored_default && !EMPTYSTR(return_id->fpr)
&& return_id->comm_type != PEP_ct_key_revoked
&& return_id->comm_type != PEP_ct_key_expired
&& return_id->comm_type != PEP_ct_key_expired_but_confirmed
&& return_id->comm_type != PEP_ct_mistrusted
&& return_id->comm_type != PEP_ct_key_b0rken) {
// We would have stored this anyway for a first-time elected key. We just have an ident w/ no default already.
status = set_identity(session, return_id);
}
else { // this is a key other than the default, but there IS a default (FIXME: fdik, do we really want behaviour below?)
// Store without default fpr/ct, but return the fpr and ct
// for current use
char* save_fpr = return_id->fpr;
PEP_comm_type save_ct = return_id->comm_type;
return_id->fpr = NULL;
return_id->comm_type = PEP_ct_unknown;
if (store) {
PEP_STATUS save_status = status;
status = set_identity(session, return_id);
if (save_status != PEP_STATUS_OK)
status = save_status;
}
return_id->fpr = save_fpr;
return_id->comm_type = save_ct;
}
transfer_ident_lang_and_flags(return_id, stored_ident);
return_id->enc_format = stored_ident->enc_format;
if (return_id->comm_type == PEP_ct_unknown)
return_id->comm_type = PEP_ct_key_not_found;
return status;
}
// Should not return PASSPHRASE errors because we force
// calls that can cause key renewal not to.
DYNAMIC_API PEP_STATUS update_identity(
PEP_SESSION session, pEp_identity * identity
)
{
PEP_STATUS status = PEP_STATUS_OK;
assert(session);
assert(identity);
assert(!EMPTYSTR(identity->address));
if (!(session && identity && !EMPTYSTR(identity->address)))
return PEP_ILLEGAL_VALUE;
//
// Record some information about the input identity so that we don't keep
// evaluating it
//
bool is_own_user = identity->me;
bool input_has_user_id = !EMPTYSTR(identity->user_id);
bool input_has_username = !EMPTYSTR(identity->username);
bool input_has_real_id = input_has_user_id ? (strstr(identity->user_id, "TOFU_") != identity->user_id) : false;
char* default_own_id = NULL;
pEp_identity* stored_ident = NULL;
status = get_default_own_userid(session, &default_own_id);
if (status == PEP_STATUS_OK || status == PEP_CANNOT_FIND_IDENTITY)
status = PEP_STATUS_OK;
else
goto pEp_free;
// To be clear, if an own identity comes in here, the only way we will accept
// it is if the caller did not KNOW this, as indicated by the lack of a known
// own user_id and identity->me being false.
//
// IF either of these are set, then the call will fail. If, however, we get
// an identity which simply has the own address on it, we'll kindly call a read-only
// version of myself.
if (!is_own_user) {
if (default_own_id) {
if (input_has_user_id) {
if (strcmp(default_own_id, identity->user_id) == 0) {
is_own_user = true;
}
else {
char* alias = NULL;
if (get_userid_alias_default(session, identity->user_id, &alias) == PEP_STATUS_OK) {
if (alias && strcmp(default_own_id, alias) == 0)
is_own_user = true;
free(alias);
}
}
}
else {
// Check if own address. For now, this is a special case;
// we try to require apps to send in user_ids, but must prevent
// writes to an own identity from within THIS function
// NOTE: These semantics MAY CHANGE.
bool _own_addr = false;
is_own_address(session, identity->address, &_own_addr);
if (_own_addr) {
free(identity->user_id);
// ENGINE-952: Ownership transfer. Allocated and checked above.
identity->user_id = default_own_id;
// Do not renew, do not generate
return _myself(session, identity, false, false, false, true);
}
}
}
// Otherwise, we don't even HAVE an own user yet, so we're ok.
}
if (is_own_user) {
free(default_own_id);
return PEP_ILLEGAL_VALUE;
}
// We have, at least, an address.
// Retrieve stored identity information!
//////////////////////////////////////////////////////////////////////////////////////////////////////
// If we can get a starting identity from the database, do it. If we have a user_id (thank you, users),
// this is pretty simple.
//
// Otherwise, we double-check that someone didn't pass in an own address (hey, if you don't give us a
// user_id, we're have to guess somehow, and treating own identities like partner identities is dangerous).
//////////////////////////////////////////////////////////////////////////////////////////////////////
if (input_has_user_id) {
// (we're gonna update the trust/fpr anyway, so we use the no-fpr-from-trust-db variant)
// * do get_identity() to retrieve stored identity information
status = get_identity_without_trust_check(session, identity->address, identity->user_id, &stored_ident);
}
else { // see if we perhaps own this user
if (default_own_id) {
status = get_identity(session,
identity->address,
default_own_id,
&stored_ident);