security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

dirmngr: Make building with a TLS library mandatory 

* configure.ac: Do not build dirmngr if no TLS is available.
* dirmngr/http.c: Remove all uses of the USE_TLS macro.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2019-11-26 12:02:27 +01:00
parent 8fb14d3b3f
commit 1009e4e5f7
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 37 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
configure.ac
View File

@ -1026,7 +1026,7 @@ AC_ARG_ENABLE(npth-debug,
# #
# NTBTLS is our TLS library. If it is not available fallback to # NTBTLS is our TLS library. If it is not available we fall back to
# GNUTLS. # GNUTLS.
# #
AC_ARG_ENABLE(ntbtls, AC_ARG_ENABLE(ntbtls,
@ -1057,9 +1057,10 @@ else
AC_DEFINE(HTTP_USE_GNUTLS, 1, [Enable GNUTLS support in http.c]) AC_DEFINE(HTTP_USE_GNUTLS, 1, [Enable GNUTLS support in http.c])
else else
tmp=$(echo "$LIBGNUTLS_PKG_ERRORS" | tr '\n' '\v' | sed 's/\v/\n*** /g') tmp=$(echo "$LIBGNUTLS_PKG_ERRORS" | tr '\n' '\v' | sed 's/\v/\n*** /g')
build_dirmngr=no
AC_MSG_WARN([[ AC_MSG_WARN([[
*** ***
*** Building without NTBTLS and GNUTLS - no TLS access to keyservers. *** Neither NTBTLS nor GNUTLS available - not building dirmngr.
*** ***
*** $tmp]]) *** $tmp]])
fi fi

91
dirmngr/http.c
View File

@ -2,7 +2,7 @@
* Copyright (C) 1999, 2001, 2002, 2003, 2004, 2006, 2009, 2010, * Copyright (C) 1999, 2001, 2002, 2003, 2004, 2006, 2009, 2010,
* 2011 Free Software Foundation, Inc. * 2011 Free Software Foundation, Inc.
* Copyright (C) 2014 Werner Koch * Copyright (C) 2014 Werner Koch
* Copyright (C) 2015-2018 g10 Code GmbH * Copyright (C) 2015-2019 g10 Code GmbH
* *
* This file is part of GnuPG. * This file is part of GnuPG.
* *
@ -39,9 +39,8 @@
- stpcpy is required - stpcpy is required
- fixme: list other requirements. - fixme: list other requirements.
- Either HTTP_USE_NTBTLS or HTTP_USE_GNUTLS must be defind to select
- With HTTP_USE_NTBTLS or HTTP_USE_GNUTLS support for https is which TLS library to use.
provided (this also requires estream).
- With HTTP_NO_WSASTARTUP the socket initialization is not done - With HTTP_NO_WSASTARTUP the socket initialization is not done
under Windows. This is useful if the socket layer has already under Windows. This is useful if the socket layer has already
@ -136,13 +135,10 @@
#if HTTP_USE_NTBTLS #if HTTP_USE_NTBTLS
typedef ntbtls_t tls_session_t; typedef ntbtls_t tls_session_t;
# define USE_TLS 1
#elif HTTP_USE_GNUTLS #elif HTTP_USE_GNUTLS
typedef gnutls_session_t tls_session_t; typedef gnutls_session_t tls_session_t;
# define USE_TLS 1
#else #else
typedef void *tls_session_t; # error building without TLS is not supported
# undef USE_TLS
#endif #endif
static gpg_err_code_t do_parse_uri (parsed_uri_t uri, int only_local_part, static gpg_err_code_t do_parse_uri (parsed_uri_t uri, int only_local_part,
@ -241,10 +237,7 @@ struct http_session_s
unsigned long magic; unsigned long magic;
int refcount; /* Number of references to this object. */ int refcount; /* Number of references to this object. */
#ifdef HTTP_USE_GNUTLS
gnutls_certificate_credentials_t certcred;
#endif /*HTTP_USE_GNUTLS*/
#ifdef USE_TLS
tls_session_t tls_session; tls_session_t tls_session;
struct { struct {
int done; /* Verifciation has been done. */ int done; /* Verifciation has been done. */
@ -252,7 +245,7 @@ struct http_session_s
unsigned int status; /* Verification status. */ unsigned int status; /* Verification status. */
} verify; } verify;
char *servername; /* Malloced server name. */ char *servername; /* Malloced server name. */
#endif /*USE_TLS*/
/* A callback function to log details of TLS certifciates. */ /* A callback function to log details of TLS certifciates. */
void (*cert_log_cb) (http_session_t, gpg_error_t, const char *, void (*cert_log_cb) (http_session_t, gpg_error_t, const char *,
const void **, size_t *); const void **, size_t *);
@ -266,6 +259,10 @@ struct http_session_s
/* The connect timeout */ /* The connect timeout */
unsigned int connect_timeout; unsigned int connect_timeout;
#ifdef HTTP_USE_GNUTLS
gnutls_certificate_credentials_t certcred;
#endif /*HTTP_USE_GNUTLS*/
}; };
@ -649,31 +646,29 @@ notify_netactivity (void)
#ifdef USE_TLS
/* Free the TLS session associated with SESS, if any. */ /* Free the TLS session associated with SESS, if any. */
static void static void
close_tls_session (http_session_t sess) close_tls_session (http_session_t sess)
{ {
if (sess->tls_session) if (sess->tls_session)
{ {
# if HTTP_USE_NTBTLS #if HTTP_USE_NTBTLS
/* FIXME!! /* FIXME!!
Possibly, ntbtls_get_transport and close those streams. Possibly, ntbtls_get_transport and close those streams.
Somehow get SOCK to call my_socket_unref. Somehow get SOCK to call my_socket_unref.
*/ */
ntbtls_release (sess->tls_session); ntbtls_release (sess->tls_session);
# elif HTTP_USE_GNUTLS #elif HTTP_USE_GNUTLS
my_socket_t sock = gnutls_transport_get_ptr (sess->tls_session); my_socket_t sock = gnutls_transport_get_ptr (sess->tls_session);
my_socket_unref (sock, NULL, NULL); my_socket_unref (sock, NULL, NULL);
gnutls_deinit (sess->tls_session); gnutls_deinit (sess->tls_session);
if (sess->certcred) if (sess->certcred)
gnutls_certificate_free_credentials (sess->certcred); gnutls_certificate_free_credentials (sess->certcred);
# endif /*HTTP_USE_GNUTLS*/ #endif /*HTTP_USE_GNUTLS*/
xfree (sess->servername); xfree (sess->servername);
sess->tls_session = NULL; sess->tls_session = NULL;
} }
} }
#endif /*USE_TLS*/
/* Release a session. Take care not to release it while it is being /* Release a session. Take care not to release it while it is being
@ -693,15 +688,14 @@ session_unref (int lnr, http_session_t sess)
if (sess->refcount) if (sess->refcount)
return; return;
#ifdef USE_TLS
close_tls_session (sess); close_tls_session (sess);
#endif /*USE_TLS*/
sess->magic = 0xdeadbeef; sess->magic = 0xdeadbeef;
xfree (sess); xfree (sess);
} }
#define http_session_unref(a) session_unref (__LINE__, (a)) #define http_session_unref(a) session_unref (__LINE__, (a))
void void
http_session_release (http_session_t sess) http_session_release (http_session_t sess)
{ {
@ -887,9 +881,7 @@ http_session_new (http_session_t *r_session,
log_debug ("http.c:session_new: sess %p created\n", sess); log_debug ("http.c:session_new: sess %p created\n", sess);
err = 0; err = 0;
#if USE_TLS
leave: leave:
#endif /*USE_TLS*/
if (err) if (err)
http_session_unref (sess); http_session_unref (sess);
else else
@ -1379,7 +1371,6 @@ do_parse_uri (parsed_uri_t uri, int only_local_part,
uri->port = 11371; uri->port = 11371;
uri->is_http = 1; uri->is_http = 1;
} }
#ifdef USE_TLS
else if (!strcmp (uri->scheme, "https") || !strcmp (uri->scheme,"hkps") else if (!strcmp (uri->scheme, "https") || !strcmp (uri->scheme,"hkps")
|| (force_tls && (!strcmp (uri->scheme, "http") || (force_tls && (!strcmp (uri->scheme, "http")
|| !strcmp (uri->scheme,"hkp")))) || !strcmp (uri->scheme,"hkp"))))
@ -1388,7 +1379,6 @@ do_parse_uri (parsed_uri_t uri, int only_local_part,
uri->is_http = 1; uri->is_http = 1;
uri->use_tls = 1; uri->use_tls = 1;
} }
#endif /*USE_TLS*/
else if (!no_scheme_check) else if (!no_scheme_check)
return GPG_ERR_INV_URI; /* Unsupported scheme */ return GPG_ERR_INV_URI; /* Unsupported scheme */
@ -1752,16 +1742,13 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
char *proxy_authstr = NULL; char *proxy_authstr = NULL;
char *authstr = NULL; char *authstr = NULL;
assuan_fd_t sock; assuan_fd_t sock;
#ifdef USE_TLS
int have_http_proxy = 0; int have_http_proxy = 0;
#endif
if (hd->uri->use_tls && !hd->session) if (hd->uri->use_tls && !hd->session)
{ {
log_error ("TLS requested but no session object provided\n"); log_error ("TLS requested but no session object provided\n");
return gpg_err_make (default_errsource, GPG_ERR_INTERNAL); return gpg_err_make (default_errsource, GPG_ERR_INTERNAL);
} }
#ifdef USE_TLS
if (hd->uri->use_tls && !hd->session->tls_session) if (hd->uri->use_tls && !hd->session->tls_session)
{ {
log_error ("TLS requested but no TLS context available\n"); log_error ("TLS requested but no TLS context available\n");
@ -1769,15 +1756,12 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
} }
if (opt_debug) if (opt_debug)
log_debug ("Using TLS library: %s %s\n", log_debug ("Using TLS library: %s %s\n",
# if HTTP_USE_NTBTLS #if HTTP_USE_NTBTLS
"NTBTLS", ntbtls_check_version (NULL) "NTBTLS", ntbtls_check_version (NULL)
# elif HTTP_USE_GNUTLS #elif HTTP_USE_GNUTLS
"GNUTLS", gnutls_check_version (NULL) "GNUTLS", gnutls_check_version (NULL)
# else #endif /*HTTP_USE_GNUTLS*/
"?", "?"
# endif /*HTTP_USE_*TLS*/
); );
#endif /*USE_TLS*/
if ((hd->flags & HTTP_FLAG_FORCE_TOR)) if ((hd->flags & HTTP_FLAG_FORCE_TOR))
{ {
@ -1798,12 +1782,11 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
port = hd->uri->port ? hd->uri->port : 80; port = hd->uri->port ? hd->uri->port : 80;
/* Try to use SNI. */ /* Try to use SNI. */
#ifdef USE_TLS
if (hd->uri->use_tls) if (hd->uri->use_tls)
{ {
# if HTTP_USE_GNUTLS #if HTTP_USE_GNUTLS
int rc; int rc;
# endif #endif
xfree (hd->session->servername); xfree (hd->session->servername);
hd->session->servername = xtrystrdup (httphost? httphost : server); hd->session->servername = xtrystrdup (httphost? httphost : server);
@ -1813,7 +1796,7 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
return err; return err;
} }
# if HTTP_USE_NTBTLS #if HTTP_USE_NTBTLS
err = ntbtls_set_hostname (hd->session->tls_session, err = ntbtls_set_hostname (hd->session->tls_session,
hd->session->servername); hd->session->servername);
if (err) if (err)
@ -1821,16 +1804,15 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
log_info ("ntbtls_set_hostname failed: %s\n", gpg_strerror (err)); log_info ("ntbtls_set_hostname failed: %s\n", gpg_strerror (err));
return err; return err;
} }
# elif HTTP_USE_GNUTLS #elif HTTP_USE_GNUTLS
rc = gnutls_server_name_set (hd->session->tls_session, rc = gnutls_server_name_set (hd->session->tls_session,
GNUTLS_NAME_DNS, GNUTLS_NAME_DNS,
hd->session->servername, hd->session->servername,
strlen (hd->session->servername)); strlen (hd->session->servername));
if (rc < 0) if (rc < 0)
log_info ("gnutls_server_name_set failed: %s\n", gnutls_strerror (rc)); log_info ("gnutls_server_name_set failed: %s\n", gnutls_strerror (rc));
# endif /*HTTP_USE_GNUTLS*/ #endif /*HTTP_USE_GNUTLS*/
} }
#endif /*USE_TLS*/
if ( (proxy && *proxy) if ( (proxy && *proxy)
|| ( (hd->flags & HTTP_FLAG_TRY_PROXY) || ( (hd->flags & HTTP_FLAG_TRY_PROXY)
@ -1855,10 +1837,8 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
if (err) if (err)
; ;
#ifdef USE_TLS
else if (!strcmp (uri->scheme, "http")) else if (!strcmp (uri->scheme, "http"))
have_http_proxy = 1; have_http_proxy = 1;
#endif
else if (!strcmp (uri->scheme, "socks4") else if (!strcmp (uri->scheme, "socks4")
|| !strcmp (uri->scheme, "socks5h")) || !strcmp (uri->scheme, "socks5h"))
err = gpg_err_make (default_errsource, GPG_ERR_NOT_IMPLEMENTED); err = gpg_err_make (default_errsource, GPG_ERR_NOT_IMPLEMENTED);
@ -1911,7 +1891,6 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); return gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
} }
#if USE_TLS
if (have_http_proxy && hd->uri->use_tls) if (have_http_proxy && hd->uri->use_tls)
{ {
int saved_flags; int saved_flags;
@ -1998,7 +1977,6 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
* TLS session and talk directly to the target server. */ * TLS session and talk directly to the target server. */
http_proxy = NULL; http_proxy = NULL;
} }
#endif /* USE_TLS */
#if HTTP_USE_NTBTLS #if HTTP_USE_NTBTLS
if (hd->uri->use_tls) if (hd->uri->use_tls)
@ -2009,12 +1987,12 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
/* Until we support send/recv in estream under Windows we need /* Until we support send/recv in estream under Windows we need
* to use es_fopencookie. */ * to use es_fopencookie. */
#ifdef HAVE_W32_SYSTEM # ifdef HAVE_W32_SYSTEM
in = es_fopencookie ((void*)(unsigned int)hd->sock->fd, "rb", in = es_fopencookie ((void*)(unsigned int)hd->sock->fd, "rb",
simple_cookie_functions); simple_cookie_functions);
#else # else
in = es_fdopen_nc (hd->sock->fd, "rb"); in = es_fdopen_nc (hd->sock->fd, "rb");
#endif # endif
if (!in) if (!in)
{ {
err = gpg_error_from_syserror (); err = gpg_error_from_syserror ();
@ -2022,12 +2000,12 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
return err; return err;
} }
#ifdef HAVE_W32_SYSTEM # ifdef HAVE_W32_SYSTEM
out = es_fopencookie ((void*)(unsigned int)hd->sock->fd, "wb", out = es_fopencookie ((void*)(unsigned int)hd->sock->fd, "wb",
simple_cookie_functions); simple_cookie_functions);
#else # else
out = es_fdopen_nc (hd->sock->fd, "wb"); out = es_fdopen_nc (hd->sock->fd, "wb");
#endif # endif
if (!out) if (!out)
{ {
err = gpg_error_from_syserror (); err = gpg_error_from_syserror ();
@ -2045,7 +2023,6 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
return err; return err;
} }
#ifdef HTTP_USE_NTBTLS
if (hd->session->verify_cb) if (hd->session->verify_cb)
{ {
err = ntbtls_set_verify_cb (hd->session->tls_session, err = ntbtls_set_verify_cb (hd->session->tls_session,
@ -2058,7 +2035,6 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
return err; return err;
} }
} }
#endif /*HTTP_USE_NTBTLS*/
while ((err = ntbtls_handshake (hd->session->tls_session))) while ((err = ntbtls_handshake (hd->session->tls_session)))
{ {
@ -2077,11 +2053,7 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
/* Try the available verify callbacks until one returns success /* Try the available verify callbacks until one returns success
* or a real error. Note that NTBTLS does the verification * or a real error. Note that NTBTLS does the verification
* during the handshake via */ * during the handshake via */
#ifdef HTTP_USE_NTBTLS
err = 0; /* Fixme check that the CB has been called. */ err = 0; /* Fixme check that the CB has been called. */
#else
err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
#endif
if (hd->session->verify_cb if (hd->session->verify_cb
&& gpg_err_source (err) == GPG_ERR_SOURCE_DIRMNGR && gpg_err_source (err) == GPG_ERR_SOURCE_DIRMNGR
@ -2109,7 +2081,9 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
} }
} }
#elif HTTP_USE_GNUTLS #elif HTTP_USE_GNUTLS
if (hd->uri->use_tls) if (hd->uri->use_tls)
{ {
int rc; int rc;
@ -2166,6 +2140,7 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
return err; return err;
} }
} }
#endif /*HTTP_USE_GNUTLS*/ #endif /*HTTP_USE_GNUTLS*/
if (auth || hd->uri->auth) if (auth || hd->uri->auth)
@ -2178,7 +2153,8 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
if (!myauth) if (!myauth)
{ {
xfree (proxy_authstr); xfree (proxy_authstr);
return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); return gpg_err_make (default_errsource,
gpg_err_code_from_syserror ());
} }
remove_escapes (myauth); remove_escapes (myauth);
} }
@ -3512,6 +3488,7 @@ http_verify_server_credentials (http_session_t sess)
#endif #endif
} }
/* Return the first query variable with the specified key. If there /* Return the first query variable with the specified key. If there
is no such variable, return NULL. */ is no such variable, return NULL. */
struct uri_tuple_s * struct uri_tuple_s *