mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
dirmngr: New Assuan option "http-crl".
* dirmngr/dirmngr.h (server_control_s): New flag 'http_no_crl'. * dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set this flag. * dirmngr/server.c (option_handler): New option "http-crl" * dirmngr/http.h (HTTP_FLAG_NO_CRL): New flag. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Consult this flag. * dirmngr/ks-engine-hkp.c (send_request): Set flag depending on CTRL. * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. * dirmngr/t-http.c (main): New option --no-crl. -- This new option can be used to enable CRL checks on a per session base. The default is not to use CRLs for https connections. Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch
parent
39c7450381
commit
493c142e58
@ -1492,6 +1492,7 @@ dirmngr_init_default_ctrl (ctrl_t ctrl)
|
||||
ctrl->magic = SERVER_CONTROL_MAGIC;
|
||||
if (opt.http_proxy)
|
||||
ctrl->http_proxy = xstrdup (opt.http_proxy);
|
||||
ctrl->http_no_crl = 1;
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -190,6 +190,8 @@ struct server_control_s
|
||||
|
||||
int audit_events; /* Send audit events to client. */
|
||||
char *http_proxy; /* The used http_proxy or NULL. */
|
||||
|
||||
unsigned int http_no_crl:1; /* Do not check CRLs for https. */
|
||||
};
|
||||
|
||||
|
||||
|
||||
@ -78,8 +78,8 @@ gnupg_http_tls_verify_cb (void *opaque,
|
||||
if ((http_flags & HTTP_FLAG_TRUST_SYS))
|
||||
validate_flags |= VALIDATE_FLAG_SYSTRUST;
|
||||
|
||||
/* FIXME: For now we don't use CRLs. */
|
||||
validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
|
||||
if ((http_flags & HTTP_FLAG_NO_CRL))
|
||||
validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
|
||||
|
||||
err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL);
|
||||
|
||||
|
||||
@ -653,6 +653,7 @@ http_session_release (http_session_t sess)
|
||||
* Valid values for FLAGS are:
|
||||
* HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca
|
||||
* HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system
|
||||
* HTTP_FLAG_NO_CRL - Do not consult CRLs for https.
|
||||
*/
|
||||
gpg_error_t
|
||||
http_session_new (http_session_t *r_session,
|
||||
|
||||
@ -87,7 +87,8 @@ enum
|
||||
HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */
|
||||
HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6. */
|
||||
HTTP_FLAG_TRUST_DEF = 256, /* Use the default CAs. */
|
||||
HTTP_FLAG_TRUST_SYS = 512 /* Also use the system defined CAs. */
|
||||
HTTP_FLAG_TRUST_SYS = 512, /* Also use the system defined CAs. */
|
||||
HTTP_FLAG_NO_CRL = 1024 /* Do not consult CRLs for https. */
|
||||
};
|
||||
|
||||
|
||||
|
||||
@ -1123,7 +1123,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
|
||||
|
||||
*r_fp = NULL;
|
||||
|
||||
err = http_session_new (&session, httphost, HTTP_FLAG_TRUST_DEF,
|
||||
err = http_session_new (&session, httphost,
|
||||
((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
|
||||
| HTTP_FLAG_TRUST_DEF),
|
||||
gnupg_http_tls_verify_cb, ctrl);
|
||||
if (err)
|
||||
goto leave;
|
||||
|
||||
@ -76,7 +76,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
|
||||
once_more:
|
||||
/* Note that we only use the system provided certificates with the
|
||||
* fetch command. */
|
||||
err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_SYS,
|
||||
err = http_session_new (&session, NULL,
|
||||
((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
|
||||
| HTTP_FLAG_TRUST_SYS),
|
||||
gnupg_http_tls_verify_cb, ctrl);
|
||||
if (err)
|
||||
goto leave;
|
||||
|
||||
@ -627,6 +627,11 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
|
||||
if (dirmngr_use_tor ())
|
||||
err = gpg_error (GPG_ERR_FORBIDDEN);
|
||||
}
|
||||
else if (!strcmp (key, "http-crl"))
|
||||
{
|
||||
int i = *value? atoi (value) : 0;
|
||||
ctrl->http_no_crl = !i;
|
||||
}
|
||||
else
|
||||
err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
|
||||
|
||||
|
||||
@ -199,6 +199,7 @@ main (int argc, char **argv)
|
||||
unsigned int my_http_flags = 0;
|
||||
int no_out = 0;
|
||||
int tls_dbg = 0;
|
||||
int no_crl = 0;
|
||||
const char *cafile = NULL;
|
||||
http_session_t session = NULL;
|
||||
|
||||
@ -225,7 +226,8 @@ main (int argc, char **argv)
|
||||
" --no-verify do not verify the certificate\n"
|
||||
" --force-tls use HTTP_FLAG_FORCE_TLS\n"
|
||||
" --force-tor use HTTP_FLAG_FORCE_TOR\n"
|
||||
" --no-out do not print the content\n",
|
||||
" --no-out do not print the content\n"
|
||||
" --no-crl do not consuilt a CRL\n",
|
||||
stdout);
|
||||
exit (0);
|
||||
}
|
||||
@ -278,6 +280,11 @@ main (int argc, char **argv)
|
||||
no_out = 1;
|
||||
argc--; argv++;
|
||||
}
|
||||
else if (!strcmp (*argv, "--no-crl"))
|
||||
{
|
||||
no_crl = 1;
|
||||
argc--; argv++;
|
||||
}
|
||||
else if (!strncmp (*argv, "--", 2))
|
||||
{
|
||||
fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
|
||||
@ -298,7 +305,9 @@ main (int argc, char **argv)
|
||||
|
||||
#if HTTP_USE_NTBTLS
|
||||
log_info ("new session.\n");
|
||||
err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF,
|
||||
err = http_session_new (&session, NULL,
|
||||
((no_crl? HTTP_FLAG_NO_CRL : 0)
|
||||
| HTTP_FLAG_TRUST_DEF),
|
||||
my_http_tls_verify_cb, NULL);
|
||||
if (err)
|
||||
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
|
||||
@ -313,7 +322,10 @@ main (int argc, char **argv)
|
||||
http_register_tls_callback (verify_callback);
|
||||
http_register_tls_ca (cafile);
|
||||
|
||||
err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, NULL, NULL);
|
||||
err = http_session_new (&session, NULL,
|
||||
((no_crl? HTTP_FLAG_NO_CRL : 0)
|
||||
| HTTP_FLAG_TRUST_DEF),
|
||||
NULL, NULL);
|
||||
if (err)
|
||||
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user