security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

dirmngr: New Assuan option "http-crl".

Browse Source 
* dirmngr/dirmngr.h (server_control_s): New flag 'http_no_crl'.
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set this flag.
* dirmngr/server.c (option_handler): New option "http-crl"
* dirmngr/http.h (HTTP_FLAG_NO_CRL): New flag.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Consult this flag.
* dirmngr/ks-engine-hkp.c (send_request): Set flag depending on CTRL.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.

* dirmngr/t-http.c (main): New option --no-crl.
--

This new option can be used to enable CRL checks on a per session
base.  The default is not to use CRLs for https connections.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-02-21 09:37:07 +01:00
parent 39c7450381
commit 493c142e58
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
9 changed files with 34 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
dirmngr/dirmngr.c
View File

@ -1492,6 +1492,7 @@ dirmngr_init_default_ctrl (ctrl_t ctrl)
ctrl->magic = SERVER_CONTROL_MAGIC; ctrl->magic = SERVER_CONTROL_MAGIC;
if (opt.http_proxy) if (opt.http_proxy)
ctrl->http_proxy = xstrdup (opt.http_proxy); ctrl->http_proxy = xstrdup (opt.http_proxy);
ctrl->http_no_crl = 1;
} }

2
dirmngr/dirmngr.h
View File

@ -190,6 +190,8 @@ struct server_control_s
int audit_events; /* Send audit events to client. */ int audit_events; /* Send audit events to client. */
char *http_proxy; /* The used http_proxy or NULL. */ char *http_proxy; /* The used http_proxy or NULL. */
unsigned int http_no_crl:1; /* Do not check CRLs for https. */
}; };

4
dirmngr/http-ntbtls.c
View File

@ -78,8 +78,8 @@ gnupg_http_tls_verify_cb (void *opaque,
if ((http_flags & HTTP_FLAG_TRUST_SYS)) if ((http_flags & HTTP_FLAG_TRUST_SYS))
validate_flags |= VALIDATE_FLAG_SYSTRUST; validate_flags |= VALIDATE_FLAG_SYSTRUST;
/* FIXME: For now we don't use CRLs. */ if ((http_flags & HTTP_FLAG_NO_CRL))
validate_flags |= VALIDATE_FLAG_NOCRLCHECK; validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL); err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL);

1
dirmngr/http.c
View File

@ -653,6 +653,7 @@ http_session_release (http_session_t sess)
* Valid values for FLAGS are: * Valid values for FLAGS are:
* HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca * HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca
* HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system * HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system
* HTTP_FLAG_NO_CRL - Do not consult CRLs for https.
*/ */
gpg_error_t gpg_error_t
http_session_new (http_session_t *r_session, http_session_new (http_session_t *r_session,

3
dirmngr/http.h
View File

@ -87,7 +87,8 @@ enum
HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */ HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */
HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6. */ HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6. */
HTTP_FLAG_TRUST_DEF = 256, /* Use the default CAs. */ HTTP_FLAG_TRUST_DEF = 256, /* Use the default CAs. */
HTTP_FLAG_TRUST_SYS = 512 /* Also use the system defined CAs. */ HTTP_FLAG_TRUST_SYS = 512, /* Also use the system defined CAs. */
HTTP_FLAG_NO_CRL = 1024 /* Do not consult CRLs for https. */
}; };

4
dirmngr/ks-engine-hkp.c
View File

@ -1123,7 +1123,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
*r_fp = NULL; *r_fp = NULL;
err = http_session_new (&session, httphost, HTTP_FLAG_TRUST_DEF, err = http_session_new (&session, httphost,
((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
| HTTP_FLAG_TRUST_DEF),
gnupg_http_tls_verify_cb, ctrl); gnupg_http_tls_verify_cb, ctrl);
if (err) if (err)
goto leave; goto leave;

4
dirmngr/ks-engine-http.c
View File

@ -76,7 +76,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
once_more: once_more:
/* Note that we only use the system provided certificates with the /* Note that we only use the system provided certificates with the
* fetch command. */ * fetch command. */
err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_SYS, err = http_session_new (&session, NULL,
((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
| HTTP_FLAG_TRUST_SYS),
gnupg_http_tls_verify_cb, ctrl); gnupg_http_tls_verify_cb, ctrl);
if (err) if (err)
goto leave; goto leave;

5
dirmngr/server.c
View File

@ -627,6 +627,11 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
if (dirmngr_use_tor ()) if (dirmngr_use_tor ())
err = gpg_error (GPG_ERR_FORBIDDEN); err = gpg_error (GPG_ERR_FORBIDDEN);
} }
else if (!strcmp (key, "http-crl"))
{
int i = *value? atoi (value) : 0;
ctrl->http_no_crl = !i;
}
else else
err = gpg_error (GPG_ERR_UNKNOWN_OPTION); err = gpg_error (GPG_ERR_UNKNOWN_OPTION);

18
dirmngr/t-http.c
View File

@ -199,6 +199,7 @@ main (int argc, char **argv)
unsigned int my_http_flags = 0; unsigned int my_http_flags = 0;
int no_out = 0; int no_out = 0;
int tls_dbg = 0; int tls_dbg = 0;
int no_crl = 0;
const char *cafile = NULL; const char *cafile = NULL;
http_session_t session = NULL; http_session_t session = NULL;
@ -225,7 +226,8 @@ main (int argc, char **argv)
" --no-verify do not verify the certificate\n" " --no-verify do not verify the certificate\n"
" --force-tls use HTTP_FLAG_FORCE_TLS\n" " --force-tls use HTTP_FLAG_FORCE_TLS\n"
" --force-tor use HTTP_FLAG_FORCE_TOR\n" " --force-tor use HTTP_FLAG_FORCE_TOR\n"
" --no-out do not print the content\n", " --no-out do not print the content\n"
" --no-crl do not consuilt a CRL\n",
stdout); stdout);
exit (0); exit (0);
} }
@ -278,6 +280,11 @@ main (int argc, char **argv)
no_out = 1; no_out = 1;
argc--; argv++; argc--; argv++;
} }
else if (!strcmp (*argv, "--no-crl"))
{
no_crl = 1;
argc--; argv++;
}
else if (!strncmp (*argv, "--", 2)) else if (!strncmp (*argv, "--", 2))
{ {
fprintf (stderr, PGM ": unknown option '%s'\n", *argv); fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
@ -298,7 +305,9 @@ main (int argc, char **argv)
#if HTTP_USE_NTBTLS #if HTTP_USE_NTBTLS
log_info ("new session.\n"); log_info ("new session.\n");
err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, err = http_session_new (&session, NULL,
((no_crl? HTTP_FLAG_NO_CRL : 0)
| HTTP_FLAG_TRUST_DEF),
my_http_tls_verify_cb, NULL); my_http_tls_verify_cb, NULL);
if (err) if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err)); log_error ("http_session_new failed: %s\n", gpg_strerror (err));
@ -313,7 +322,10 @@ main (int argc, char **argv)
http_register_tls_callback (verify_callback); http_register_tls_callback (verify_callback);
http_register_tls_ca (cafile); http_register_tls_ca (cafile);
err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, NULL, NULL); err = http_session_new (&session, NULL,
((no_crl? HTTP_FLAG_NO_CRL : 0)
| HTTP_FLAG_TRUST_DEF),
NULL, NULL);
if (err) if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err)); log_error ("http_session_new failed: %s\n", gpg_strerror (err));