1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-20 14:37:08 +01:00

dirmngr: Fix CRL DP error fallback to other schemes.

* dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop.
Remove the unused issuername_uri stuff.
--

It is quite common that LDAP servers are blocked and thuis the HTTP
access point should be used instead.  This worked well for
certificates where the DP are given in this form:

        crlDP: ldap://x500.bund.de/[...]
               http://x500.bund.de/[...]
               issuer: none

but it failed for this form

        crlDP: ldap://x500.bund.de/[...]
               issuer: none
        crlDP: http://x500.bund.de/[...]
               issuer: none

because the LAST_ERR thing terminated the outer loop.  This pacth
fixes this and also cleans up the code to be more robust.

Note that the common workaround of using --ignore-ldap-dp will now
only be needed if the firewall uses packet dropping instead of proper
ICMP rejects.
This commit is contained in:
Werner Koch 2022-09-16 16:45:22 +02:00
parent ed1264e74b
commit 289fbc550d
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B

View File

@ -2611,21 +2611,21 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert)
ksba_name_t distpoint = NULL; ksba_name_t distpoint = NULL;
ksba_name_t issuername = NULL; ksba_name_t issuername = NULL;
char *distpoint_uri = NULL; char *distpoint_uri = NULL;
char *issuername_uri = NULL;
int any_dist_point = 0; int any_dist_point = 0;
int seq; int seq;
gpg_error_t last_err = 0;
/* Loop over all distribution points, get the CRLs and put them into /* Loop over all distribution points, get the CRLs and put them into
the cache. */ the cache. */
if (opt.verbose) if (opt.verbose)
log_info ("checking distribution points\n"); log_info ("checking distribution points\n");
seq = 0; seq = 0;
while ( !(err = ksba_cert_get_crl_dist_point (cert, seq++, while (xfree (distpoint), xfree (issuername),
!(err = ksba_cert_get_crl_dist_point (cert, seq++,
&distpoint, &distpoint,
&issuername, NULL ))) &issuername, NULL )))
{ {
int name_seq; int name_seq;
gpg_error_t last_err = 0;
if (!distpoint && !issuername) if (!distpoint && !issuername)
{ {
@ -2636,13 +2636,11 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert)
suitable CRL. */ suitable CRL. */
} }
xfree (issuername_uri); issuername_uri = NULL;
/* Get the URIs. We do this in a loop to iterate over all names /* Get the URIs. We do this in a loop to iterate over all names
in the crlDP. */ in the crlDP. */
for (name_seq=0; ksba_name_enum (distpoint, name_seq); name_seq++) for (name_seq=0; ksba_name_enum (distpoint, name_seq); name_seq++)
{ {
xfree (distpoint_uri); distpoint_uri = NULL; xfree (distpoint_uri);
distpoint_uri = ksba_name_get_uri (distpoint, name_seq); distpoint_uri = ksba_name_get_uri (distpoint, name_seq);
if (!distpoint_uri) if (!distpoint_uri)
continue; continue;
@ -2666,6 +2664,7 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert)
if (opt.verbose) if (opt.verbose)
log_info ("fetching CRL from '%s'\n", distpoint_uri); log_info ("fetching CRL from '%s'\n", distpoint_uri);
crl_close_reader (reader);
err = crl_fetch (ctrl, distpoint_uri, &reader); err = crl_fetch (ctrl, distpoint_uri, &reader);
if (err) if (err)
{ {
@ -2685,38 +2684,23 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert)
last_err = err; last_err = err;
continue; /* with the next name. */ continue; /* with the next name. */
} }
last_err = 0; goto leave; /* Ready - we got the CRL. */
break; /* Ready. */
} }
if (last_err) }
if (gpg_err_code (err) == GPG_ERR_EOF)
err = 0;
if (!err && last_err)
{ {
err = last_err; err = last_err;
goto leave; goto leave;
} }
ksba_name_release (distpoint); distpoint = NULL;
/* We don't do anything with issuername_uri yet but we keep the
code for documentation. */
issuername_uri = ksba_name_get_uri (issuername, 0);
ksba_name_release (issuername); issuername = NULL;
/* Close the reader. */
crl_close_reader (reader);
reader = NULL;
}
if (gpg_err_code (err) == GPG_ERR_EOF)
err = 0;
/* If we did not found any distpoint, try something reasonable. */ /* If we did not found any distpoint, try something reasonable. */
if (!any_dist_point ) if (!any_dist_point )
{ {
if (opt.verbose) if (opt.verbose)
log_info ("no distribution point - trying issuer name\n"); log_info ("no distribution point - trying issuer name\n");
crl_close_reader (reader);
reader = NULL;
issuer = ksba_cert_get_issuer (cert, 0); issuer = ksba_cert_get_issuer (cert, 0);
if (!issuer) if (!issuer)
{ {
@ -2727,6 +2711,7 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert)
if (opt.verbose) if (opt.verbose)
log_info ("fetching CRL from default location\n"); log_info ("fetching CRL from default location\n");
crl_close_reader (reader);
err = crl_fetch_default (ctrl, issuer, &reader); err = crl_fetch_default (ctrl, issuer, &reader);
if (err) if (err)
{ {
@ -2749,7 +2734,6 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert)
leave: leave:
crl_close_reader (reader); crl_close_reader (reader);
xfree (distpoint_uri); xfree (distpoint_uri);
xfree (issuername_uri);
ksba_name_release (distpoint); ksba_name_release (distpoint);
ksba_name_release (issuername); ksba_name_release (issuername);
ksba_free (issuer); ksba_free (issuer);