* gpgkeys_ldap.c (main): Add "check-cert" option to disable SSL

certificate checking (which is on by default). * gpgkeys_curl.c (main): Add "debug" option to match the LDAP helper. Add "check-cert" option to disable SSL certificate checking (which is on by default).
2025-03-24 22:09:57 +01:00 · 2005-01-22 03:27:19 +00:00 · 2005-01-22 03:27:19 +00:00 · 2b10681641
commit 2b10681641
parent 6a0fda89c0
3 changed files with 69 additions and 14 deletions
--- a/keyserver/ChangeLog
+++ b/keyserver/ChangeLog
@ -1,3 +1,12 @@
+2005-01-21  David Shaw  <dshaw@grover.jabberwocky.com>
+
+	* gpgkeys_ldap.c (main): Add "check-cert" option to disable SSL
+	certificate checking (which is on by default).
+
+	* gpgkeys_curl.c (main): Add "debug" option to match the LDAP
+	helper.  Add "check-cert" option to disable SSL certificate
+	checking (which is on by default).
+
 2005-01-18  David Shaw  <dshaw@grover.jabberwocky.com>

 	* gpgkeys_curl.c: Fix typo.
--- a/keyserver/gpgkeys_curl.c
+++ b/keyserver/gpgkeys_curl.c
@ -82,12 +82,6 @@ get_key(char *getkey)
  curl_easy_setopt(curl,CURLOPT_FILE,output);
  curl_easy_setopt(curl,CURLOPT_ERRORBUFFER,errorbuffer);

-  if(verbose>1)
-    {
-      curl_easy_setopt(curl,CURLOPT_STDERR,console);
-      curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
-    }
-
  res=curl_easy_perform(curl);
  if(res!=0)
    {
@ -116,7 +110,7 @@ main(int argc,char *argv[])
  char line[MAX_LINE];
  char *thekey=NULL;
  unsigned int timeout=DEFAULT_KEYSERVER_TIMEOUT;
-  long follow_redirects=5;
+  long follow_redirects=5,debug=0,check_cert=1;

  console=stderr;

@ -287,6 +281,22 @@ main(int argc,char *argv[])
 	      else if(start[16]=='\0')
 		follow_redirects=-1;
 	    }
+	  else if(strncasecmp(start,"debug",5)==0)
+	    {
+	      if(no)
+		debug=0;
+	      else if(start[5]=='=')
+		debug=atoi(&start[6]);
+	      else if(start[5]=='\0')
+		debug=1;
+	    }
+	  else if(strcasecmp(start,"check-cert")==0)
+	    {
+	      if(no)
+		check_cert=0;
+	      else
+		check_cert=1;
+	    }

 	  continue;
 	}
@ -337,6 +347,14 @@ main(int argc,char *argv[])
 	curl_easy_setopt(curl,CURLOPT_MAXREDIRS,follow_redirects);
    }

+  if(debug)
+    {
+      curl_easy_setopt(curl,CURLOPT_STDERR,console);
+      curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
+    }
+
+  curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,check_cert);
+
  if(proxy[0])
    curl_easy_setopt(curl,CURLOPT_PROXY,proxy);

--- a/keyserver/gpgkeys_ldap.c
+++ b/keyserver/gpgkeys_ldap.c
@ -1534,7 +1534,7 @@ main(int argc,char *argv[])
 {
  int debug=0,port=0,arg,err,action=-1,ret=KEYSERVER_INTERNAL_ERROR;
  char line[MAX_LINE];
-  int version,failed=0,use_ssl=0,use_tls=0,bound=0;
+  int version,failed=0,use_ssl=0,use_tls=0,bound=0,check_cert=1;
  struct keylist *keylist=NULL,*keyptr=NULL;
  unsigned int timeout=DEFAULT_KEYSERVER_TIMEOUT;

@ -1719,6 +1719,13 @@ main(int argc,char *argv[])
 	      else if(start[3]=='\0')
 		use_tls=1;
 	    }
+	  else if(strcasecmp(start,"check-cert")==0)
+	    {
+	      if(no)
+		check_cert=0;
+	      else
+		check_cert=1;
+	    }
 	  else if(strncasecmp(start,"debug",5)==0)
 	    {
 	      if(no)
@ -1868,8 +1875,9 @@ main(int argc,char *argv[])

  if(use_ssl)
    {
-#if defined(LDAP_OPT_X_TLS_HARD) && defined(HAVE_LDAP_SET_OPTION)
+#if defined(LDAP_OPT_X_TLS) && defined(HAVE_LDAP_SET_OPTION)
      int ssl=LDAP_OPT_X_TLS_HARD;
+
      err=ldap_set_option(ldap,LDAP_OPT_X_TLS,&ssl);
      if(err!=LDAP_SUCCESS)
 	{
@ -1878,6 +1886,19 @@ main(int argc,char *argv[])
 	  fail_all(keylist,action,ldap_err_to_gpg_err(err));
 	  goto fail;
 	}
+
+      if(!check_cert)
+	ssl=LDAP_OPT_X_TLS_NEVER;
+
+      err=ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&ssl);
+      if(err!=LDAP_SUCCESS)
+	{
+	  fprintf(console,
+		  "gpgkeys: unable to set certificate validation: %s\n",
+		  ldap_err2string(err));
+	  fail_all(keylist,action,ldap_err_to_gpg_err(err));
+	  goto fail;
+	}
 #else
      fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
 	      "not built with LDAPS support");
@ -1915,15 +1936,22 @@ main(int argc,char *argv[])
 #if defined(HAVE_LDAP_START_TLS_S) && defined(HAVE_LDAP_SET_OPTION)
 	  int ver=LDAP_VERSION3;

-	  err=LDAP_SUCCESS;
-
 	  err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
 	  if(err==LDAP_SUCCESS)
-	    err=ldap_start_tls_s(ldap,NULL,NULL);
+	    {
+	      if(check_cert)
+		ver=LDAP_OPT_X_TLS_HARD;
+	      else
+		ver=LDAP_OPT_X_TLS_NEVER;
+
+	      err=ldap_set_option(ldap,LDAP_OPT_X_TLS_REQUIRE_CERT,&ver);
+	      if(err==LDAP_SUCCESS)
+		err=ldap_start_tls_s(ldap,NULL,NULL);
+	    }

 	  if(err!=LDAP_SUCCESS)
 	    {
-	      if(use_tls==2 || verbose>2)
+	      if(use_tls>=2 || verbose>2)
 		fprintf(console,"gpgkeys: unable to start TLS: %s\n",
 			ldap_err2string(err));
 	      /* Are we forcing it? */
@ -1952,7 +1980,7 @@ main(int argc,char *argv[])
  /* The LDAP keyserver doesn't require this, but it might be useful
     if someone stores keys on a V2 LDAP server somewhere.  (V3
     doesn't require a bind).  Leave this out for now since it is not
-     clear if anyone server we're likely to use really cares, plus
+     clear if anyone's server we're likely to use really cares, plus
     there are some servers that don't allow it. */

  err=ldap_simple_bind_s(ldap,NULL,NULL);