dirmngr: New Assuan option "http-crl".

* dirmngr/dirmngr.h (server_control_s): New flag 'http_no_crl'.
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set this flag.
* dirmngr/server.c (option_handler): New option "http-crl"
* dirmngr/http.h (HTTP_FLAG_NO_CRL): New flag.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Consult this flag.
* dirmngr/ks-engine-hkp.c (send_request): Set flag depending on CTRL.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.

* dirmngr/t-http.c (main): New option --no-crl.
--

This new option can be used to enable CRL checks on a per session
base.  The default is not to use CRLs for https connections.

Signed-off-by: Werner Koch <wk@gnupg.org>

dirmngr/dirmngr.c

@@ -1492,6 +1492,7 @@ dirmngr_init_default_ctrl (ctrl_t ctrl)
   ctrl->magic = SERVER_CONTROL_MAGIC;
   if (opt.http_proxy)
     ctrl->http_proxy = xstrdup (opt.http_proxy);
+  ctrl->http_no_crl = 1;
 }
 
 

dirmngr/dirmngr.h

@@ -190,6 +190,8 @@ struct server_control_s
 
   int audit_events;  /* Send audit events to client.  */
   char *http_proxy;  /* The used http_proxy or NULL.  */
+
+  unsigned int http_no_crl:1;  /* Do not check CRLs for https.  */
 };
 
 

dirmngr/http-ntbtls.c

@@ -78,8 +78,8 @@ gnupg_http_tls_verify_cb (void *opaque,
   if ((http_flags & HTTP_FLAG_TRUST_SYS))
     validate_flags |= VALIDATE_FLAG_SYSTRUST;
 
-  /* FIXME: For now we don't use CRLs.  */
-  validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
+  if ((http_flags & HTTP_FLAG_NO_CRL))
+    validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
 
   err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL);
 

dirmngr/http.c

@@ -653,6 +653,7 @@ http_session_release (http_session_t sess)
  * Valid values for FLAGS are:
  *   HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca
  *   HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system
+ *   HTTP_FLAG_NO_CRL    - Do not consult CRLs for https.
  */
 gpg_error_t
 http_session_new (http_session_t *r_session,

dirmngr/http.h

@@ -87,7 +87,8 @@ enum
     HTTP_FLAG_IGNORE_IPv4 = 64,  /* Do not use IPv4.  */
     HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6.  */
     HTTP_FLAG_TRUST_DEF   = 256, /* Use the default CAs.  */
-    HTTP_FLAG_TRUST_SYS   = 512  /* Also use the system defined CAs.  */
+    HTTP_FLAG_TRUST_SYS   = 512, /* Also use the system defined CAs.  */
+    HTTP_FLAG_NO_CRL     = 1024  /* Do not consult CRLs for https.  */
   };
 
 

dirmngr/ks-engine-hkp.c

@@ -1123,7 +1123,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
 
   *r_fp = NULL;
 
-  err = http_session_new (&session, httphost, HTTP_FLAG_TRUST_DEF,
+  err = http_session_new (&session, httphost,
+                          ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
+                           | HTTP_FLAG_TRUST_DEF),
                           gnupg_http_tls_verify_cb, ctrl);
   if (err)
     goto leave;

dirmngr/ks-engine-http.c

@@ -76,7 +76,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
  once_more:
   /* Note that we only use the system provided certificates with the
    * fetch command.  */
-  err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_SYS,
+  err = http_session_new (&session, NULL,
+                          ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
+                           | HTTP_FLAG_TRUST_SYS),
                           gnupg_http_tls_verify_cb, ctrl);
   if (err)
     goto leave;

dirmngr/server.c

@@ -627,6 +627,11 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
       if (dirmngr_use_tor ())
         err = gpg_error (GPG_ERR_FORBIDDEN);
     }
+  else if (!strcmp (key, "http-crl"))
+    {
+      int i = *value? atoi (value) : 0;
+      ctrl->http_no_crl = !i;
+    }
   else
     err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
 

dirmngr/t-http.c

@@ -199,6 +199,7 @@ main (int argc, char **argv)
   unsigned int my_http_flags = 0;
   int no_out = 0;
   int tls_dbg = 0;
+  int no_crl = 0;
   const char *cafile = NULL;
   http_session_t session = NULL;
 
@@ -225,7 +226,8 @@ main (int argc, char **argv)
                  "  --no-verify       do not verify the certificate\n"
                  "  --force-tls       use HTTP_FLAG_FORCE_TLS\n"
                  "  --force-tor       use HTTP_FLAG_FORCE_TOR\n"
-                 "  --no-out          do not print the content\n",
+                 "  --no-out          do not print the content\n"
+                 "  --no-crl          do not consuilt a CRL\n",
                  stdout);
           exit (0);
         }
@@ -278,6 +280,11 @@ main (int argc, char **argv)
           no_out = 1;
           argc--; argv++;
         }
+      else if (!strcmp (*argv, "--no-crl"))
+        {
+          no_crl = 1;
+          argc--; argv++;
+        }
       else if (!strncmp (*argv, "--", 2))
         {
           fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
@@ -298,7 +305,9 @@ main (int argc, char **argv)
 
 #if HTTP_USE_NTBTLS
   log_info ("new session.\n");
-  err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF,
+  err = http_session_new (&session, NULL,
+                          ((no_crl? HTTP_FLAG_NO_CRL : 0)
+                           | HTTP_FLAG_TRUST_DEF),
                           my_http_tls_verify_cb, NULL);
   if (err)
     log_error ("http_session_new failed: %s\n", gpg_strerror (err));
@@ -313,7 +322,10 @@ main (int argc, char **argv)
   http_register_tls_callback (verify_callback);
   http_register_tls_ca (cafile);
 
-  err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, NULL, NULL);
+  err = http_session_new (&session, NULL,
+                          ((no_crl? HTTP_FLAG_NO_CRL : 0)
+                           | HTTP_FLAG_TRUST_DEF),
+                          NULL, NULL);
   if (err)
     log_error ("http_session_new failed: %s\n", gpg_strerror (err));