2017-02-19 10:36:43 +01:00
|
|
|
/* http-ntbtls.c - Support for using NTBTLS with http.c
|
|
|
|
* Copyright (C) 2017 Werner Koch
|
|
|
|
*
|
|
|
|
* This file is part of GnuPG.
|
|
|
|
*
|
|
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#include "dirmngr.h"
|
|
|
|
#include "certcache.h"
|
|
|
|
#include "validate.h"
|
2017-03-02 18:17:58 +01:00
|
|
|
#include "http-common.h"
|
2017-02-19 10:36:43 +01:00
|
|
|
|
|
|
|
#ifdef HTTP_USE_NTBTLS
|
|
|
|
# include <ntbtls.h>
|
|
|
|
|
|
|
|
|
|
|
|
/* The callback used to verify the peer's certificate. */
|
|
|
|
gpg_error_t
|
|
|
|
gnupg_http_tls_verify_cb (void *opaque,
|
|
|
|
http_t http,
|
|
|
|
http_session_t session,
|
|
|
|
unsigned int http_flags,
|
|
|
|
void *tls_context)
|
|
|
|
{
|
|
|
|
ctrl_t ctrl = opaque;
|
2017-02-21 14:55:04 +01:00
|
|
|
ntbtls_t tls = tls_context;
|
2017-02-19 10:36:43 +01:00
|
|
|
gpg_error_t err;
|
|
|
|
int idx;
|
|
|
|
ksba_cert_t cert;
|
|
|
|
ksba_cert_t hostcert = NULL;
|
|
|
|
unsigned int validate_flags;
|
2021-06-25 19:15:24 +02:00
|
|
|
/* const char *hostname; */
|
2017-02-19 10:36:43 +01:00
|
|
|
|
|
|
|
(void)http;
|
|
|
|
(void)session;
|
|
|
|
|
|
|
|
log_assert (ctrl && ctrl->magic == SERVER_CONTROL_MAGIC);
|
2017-02-21 14:55:04 +01:00
|
|
|
log_assert (!ntbtls_check_context (tls));
|
2017-02-19 10:36:43 +01:00
|
|
|
|
2018-10-24 21:56:18 +02:00
|
|
|
/* Get the peer's certs from ntbtls. */
|
2017-02-19 10:36:43 +01:00
|
|
|
for (idx = 0;
|
2017-02-21 14:55:04 +01:00
|
|
|
(cert = ntbtls_x509_get_peer_cert (tls, idx)); idx++)
|
2017-02-19 10:36:43 +01:00
|
|
|
{
|
|
|
|
if (!idx)
|
|
|
|
hostcert = cert;
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* Quick hack to make verification work by inserting the supplied
|
|
|
|
* certs into the cache. FIXME! */
|
|
|
|
cache_cert (cert);
|
|
|
|
ksba_cert_release (cert);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!idx)
|
|
|
|
{
|
|
|
|
err = gpg_error (GPG_ERR_MISSING_CERT);
|
|
|
|
goto leave;
|
|
|
|
}
|
|
|
|
|
|
|
|
validate_flags = VALIDATE_FLAG_TLS;
|
2017-02-21 14:55:04 +01:00
|
|
|
|
2020-09-10 09:13:59 +02:00
|
|
|
/* If we are using the standard hkps:// pool use the dedicated root
|
2024-05-13 00:09:23 +02:00
|
|
|
* certificate. Note that this differs from the GnuTLS
|
2020-09-10 09:13:59 +02:00
|
|
|
* implementation which uses this special certificate only if no
|
|
|
|
* other certificates are configured. */
|
2021-06-25 19:15:24 +02:00
|
|
|
/* Disabled for 2.3.2 to due problems with the standard hkps pool. */
|
|
|
|
/* hostname = ntbtls_get_hostname (tls); */
|
|
|
|
/* if (hostname */
|
|
|
|
/* && !ascii_strcasecmp (hostname, get_default_keyserver (1))) */
|
|
|
|
/* { */
|
|
|
|
/* validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; */
|
|
|
|
/* } */
|
|
|
|
/* else */
|
2017-02-21 14:55:04 +01:00
|
|
|
{
|
2021-06-25 19:15:24 +02:00
|
|
|
/* Use the certificates as requested from the HTTP module. */
|
2018-04-25 09:43:18 +02:00
|
|
|
if ((http_flags & HTTP_FLAG_TRUST_CFG))
|
|
|
|
validate_flags |= VALIDATE_FLAG_TRUST_CONFIG;
|
2017-02-21 14:55:04 +01:00
|
|
|
if ((http_flags & HTTP_FLAG_TRUST_DEF))
|
|
|
|
validate_flags |= VALIDATE_FLAG_TRUST_HKP;
|
|
|
|
if ((http_flags & HTTP_FLAG_TRUST_SYS))
|
|
|
|
validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
|
2017-09-18 22:49:05 +02:00
|
|
|
|
|
|
|
/* If HKP trust is requested and there are no HKP certificates
|
2018-04-25 09:43:18 +02:00
|
|
|
* configured, also try the standard system certificates. */
|
2017-09-18 22:49:05 +02:00
|
|
|
if ((validate_flags & VALIDATE_FLAG_TRUST_HKP)
|
|
|
|
&& !cert_cache_any_in_class (CERTTRUST_CLASS_HKP))
|
|
|
|
validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
|
2017-02-21 14:55:04 +01:00
|
|
|
}
|
2017-02-19 10:36:43 +01:00
|
|
|
|
2017-02-21 09:37:07 +01:00
|
|
|
if ((http_flags & HTTP_FLAG_NO_CRL))
|
|
|
|
validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
|
2017-02-19 10:36:43 +01:00
|
|
|
|
|
|
|
err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL);
|
|
|
|
|
|
|
|
leave:
|
|
|
|
ksba_cert_release (hostcert);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#else /*!HTTP_USE_NTBTLS*/
|
|
|
|
|
|
|
|
/* Dummy function used when not build without ntbtls support. */
|
|
|
|
gpg_error_t
|
|
|
|
gnupg_http_tls_verify_cb (void *opaque,
|
|
|
|
http_t http,
|
|
|
|
http_session_t session,
|
|
|
|
unsigned int flags,
|
|
|
|
void *tls_context)
|
|
|
|
{
|
|
|
|
(void)opaque;
|
|
|
|
(void)http;
|
|
|
|
(void)session;
|
|
|
|
(void)flags;
|
|
|
|
(void)tls_context;
|
|
|
|
return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
|
|
|
|
}
|
|
|
|
#endif /*!HTTP_USE_NTBTLS*/
|