diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index 5e6d98367..f04d0881f 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -1492,6 +1492,7 @@ dirmngr_init_default_ctrl (ctrl_t ctrl) ctrl->magic = SERVER_CONTROL_MAGIC; if (opt.http_proxy) ctrl->http_proxy = xstrdup (opt.http_proxy); + ctrl->http_no_crl = 1; } diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h index 57e3372a0..b0b603f76 100644 --- a/dirmngr/dirmngr.h +++ b/dirmngr/dirmngr.h @@ -190,6 +190,8 @@ struct server_control_s int audit_events; /* Send audit events to client. */ char *http_proxy; /* The used http_proxy or NULL. */ + + unsigned int http_no_crl:1; /* Do not check CRLs for https. */ }; diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c index 5686877ec..3038cae6b 100644 --- a/dirmngr/http-ntbtls.c +++ b/dirmngr/http-ntbtls.c @@ -78,8 +78,8 @@ gnupg_http_tls_verify_cb (void *opaque, if ((http_flags & HTTP_FLAG_TRUST_SYS)) validate_flags |= VALIDATE_FLAG_SYSTRUST; - /* FIXME: For now we don't use CRLs. */ - validate_flags |= VALIDATE_FLAG_NOCRLCHECK; + if ((http_flags & HTTP_FLAG_NO_CRL)) + validate_flags |= VALIDATE_FLAG_NOCRLCHECK; err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL); diff --git a/dirmngr/http.c b/dirmngr/http.c index 89e46ca22..733018de5 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -653,6 +653,7 @@ http_session_release (http_session_t sess) * Valid values for FLAGS are: * HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca * HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system + * HTTP_FLAG_NO_CRL - Do not consult CRLs for https. */ gpg_error_t http_session_new (http_session_t *r_session, diff --git a/dirmngr/http.h b/dirmngr/http.h index 98ac4a31a..331ee61b8 100644 --- a/dirmngr/http.h +++ b/dirmngr/http.h @@ -87,7 +87,8 @@ enum HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */ HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6. */ HTTP_FLAG_TRUST_DEF = 256, /* Use the default CAs. */ - HTTP_FLAG_TRUST_SYS = 512 /* Also use the system defined CAs. */ + HTTP_FLAG_TRUST_SYS = 512, /* Also use the system defined CAs. */ + HTTP_FLAG_NO_CRL = 1024 /* Do not consult CRLs for https. */ }; diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index 4ca1e0025..b6a06754f 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -1123,7 +1123,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, *r_fp = NULL; - err = http_session_new (&session, httphost, HTTP_FLAG_TRUST_DEF, + err = http_session_new (&session, httphost, + ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0) + | HTTP_FLAG_TRUST_DEF), gnupg_http_tls_verify_cb, ctrl); if (err) goto leave; diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c index 9352a0f18..d4a6c8a63 100644 --- a/dirmngr/ks-engine-http.c +++ b/dirmngr/ks-engine-http.c @@ -76,7 +76,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) once_more: /* Note that we only use the system provided certificates with the * fetch command. */ - err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_SYS, + err = http_session_new (&session, NULL, + ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0) + | HTTP_FLAG_TRUST_SYS), gnupg_http_tls_verify_cb, ctrl); if (err) goto leave; diff --git a/dirmngr/server.c b/dirmngr/server.c index 92bbc160b..f726d1b35 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -627,6 +627,11 @@ option_handler (assuan_context_t ctx, const char *key, const char *value) if (dirmngr_use_tor ()) err = gpg_error (GPG_ERR_FORBIDDEN); } + else if (!strcmp (key, "http-crl")) + { + int i = *value? atoi (value) : 0; + ctrl->http_no_crl = !i; + } else err = gpg_error (GPG_ERR_UNKNOWN_OPTION); diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c index c5bec898b..68818de7a 100644 --- a/dirmngr/t-http.c +++ b/dirmngr/t-http.c @@ -199,6 +199,7 @@ main (int argc, char **argv) unsigned int my_http_flags = 0; int no_out = 0; int tls_dbg = 0; + int no_crl = 0; const char *cafile = NULL; http_session_t session = NULL; @@ -225,7 +226,8 @@ main (int argc, char **argv) " --no-verify do not verify the certificate\n" " --force-tls use HTTP_FLAG_FORCE_TLS\n" " --force-tor use HTTP_FLAG_FORCE_TOR\n" - " --no-out do not print the content\n", + " --no-out do not print the content\n" + " --no-crl do not consuilt a CRL\n", stdout); exit (0); } @@ -278,6 +280,11 @@ main (int argc, char **argv) no_out = 1; argc--; argv++; } + else if (!strcmp (*argv, "--no-crl")) + { + no_crl = 1; + argc--; argv++; + } else if (!strncmp (*argv, "--", 2)) { fprintf (stderr, PGM ": unknown option '%s'\n", *argv); @@ -298,7 +305,9 @@ main (int argc, char **argv) #if HTTP_USE_NTBTLS log_info ("new session.\n"); - err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, + err = http_session_new (&session, NULL, + ((no_crl? HTTP_FLAG_NO_CRL : 0) + | HTTP_FLAG_TRUST_DEF), my_http_tls_verify_cb, NULL); if (err) log_error ("http_session_new failed: %s\n", gpg_strerror (err)); @@ -313,7 +322,10 @@ main (int argc, char **argv) http_register_tls_callback (verify_callback); http_register_tls_ca (cafile); - err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, NULL, NULL); + err = http_session_new (&session, NULL, + ((no_crl? HTTP_FLAG_NO_CRL : 0) + | HTTP_FLAG_TRUST_DEF), + NULL, NULL); if (err) log_error ("http_session_new failed: %s\n", gpg_strerror (err));