1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

dirmngr: New Assuan option "http-crl".

* dirmngr/dirmngr.h (server_control_s): New flag 'http_no_crl'.
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set this flag.
* dirmngr/server.c (option_handler): New option "http-crl"
* dirmngr/http.h (HTTP_FLAG_NO_CRL): New flag.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Consult this flag.
* dirmngr/ks-engine-hkp.c (send_request): Set flag depending on CTRL.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.

* dirmngr/t-http.c (main): New option --no-crl.
--

This new option can be used to enable CRL checks on a per session
base.  The default is not to use CRLs for https connections.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-02-21 09:37:07 +01:00
parent 39c7450381
commit 493c142e58
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
9 changed files with 34 additions and 8 deletions

View File

@ -1492,6 +1492,7 @@ dirmngr_init_default_ctrl (ctrl_t ctrl)
ctrl->magic = SERVER_CONTROL_MAGIC;
if (opt.http_proxy)
ctrl->http_proxy = xstrdup (opt.http_proxy);
ctrl->http_no_crl = 1;
}

View File

@ -190,6 +190,8 @@ struct server_control_s
int audit_events; /* Send audit events to client. */
char *http_proxy; /* The used http_proxy or NULL. */
unsigned int http_no_crl:1; /* Do not check CRLs for https. */
};

View File

@ -78,7 +78,7 @@ gnupg_http_tls_verify_cb (void *opaque,
if ((http_flags & HTTP_FLAG_TRUST_SYS))
validate_flags |= VALIDATE_FLAG_SYSTRUST;
/* FIXME: For now we don't use CRLs. */
if ((http_flags & HTTP_FLAG_NO_CRL))
validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL);

View File

@ -653,6 +653,7 @@ http_session_release (http_session_t sess)
* Valid values for FLAGS are:
* HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca
* HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system
* HTTP_FLAG_NO_CRL - Do not consult CRLs for https.
*/
gpg_error_t
http_session_new (http_session_t *r_session,

View File

@ -87,7 +87,8 @@ enum
HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */
HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6. */
HTTP_FLAG_TRUST_DEF = 256, /* Use the default CAs. */
HTTP_FLAG_TRUST_SYS = 512 /* Also use the system defined CAs. */
HTTP_FLAG_TRUST_SYS = 512, /* Also use the system defined CAs. */
HTTP_FLAG_NO_CRL = 1024 /* Do not consult CRLs for https. */
};

View File

@ -1123,7 +1123,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
*r_fp = NULL;
err = http_session_new (&session, httphost, HTTP_FLAG_TRUST_DEF,
err = http_session_new (&session, httphost,
((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
| HTTP_FLAG_TRUST_DEF),
gnupg_http_tls_verify_cb, ctrl);
if (err)
goto leave;

View File

@ -76,7 +76,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
once_more:
/* Note that we only use the system provided certificates with the
* fetch command. */
err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_SYS,
err = http_session_new (&session, NULL,
((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
| HTTP_FLAG_TRUST_SYS),
gnupg_http_tls_verify_cb, ctrl);
if (err)
goto leave;

View File

@ -627,6 +627,11 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
if (dirmngr_use_tor ())
err = gpg_error (GPG_ERR_FORBIDDEN);
}
else if (!strcmp (key, "http-crl"))
{
int i = *value? atoi (value) : 0;
ctrl->http_no_crl = !i;
}
else
err = gpg_error (GPG_ERR_UNKNOWN_OPTION);

View File

@ -199,6 +199,7 @@ main (int argc, char **argv)
unsigned int my_http_flags = 0;
int no_out = 0;
int tls_dbg = 0;
int no_crl = 0;
const char *cafile = NULL;
http_session_t session = NULL;
@ -225,7 +226,8 @@ main (int argc, char **argv)
" --no-verify do not verify the certificate\n"
" --force-tls use HTTP_FLAG_FORCE_TLS\n"
" --force-tor use HTTP_FLAG_FORCE_TOR\n"
" --no-out do not print the content\n",
" --no-out do not print the content\n"
" --no-crl do not consuilt a CRL\n",
stdout);
exit (0);
}
@ -278,6 +280,11 @@ main (int argc, char **argv)
no_out = 1;
argc--; argv++;
}
else if (!strcmp (*argv, "--no-crl"))
{
no_crl = 1;
argc--; argv++;
}
else if (!strncmp (*argv, "--", 2))
{
fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
@ -298,7 +305,9 @@ main (int argc, char **argv)
#if HTTP_USE_NTBTLS
log_info ("new session.\n");
err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF,
err = http_session_new (&session, NULL,
((no_crl? HTTP_FLAG_NO_CRL : 0)
| HTTP_FLAG_TRUST_DEF),
my_http_tls_verify_cb, NULL);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
@ -313,7 +322,10 @@ main (int argc, char **argv)
http_register_tls_callback (verify_callback);
http_register_tls_ca (cafile);
err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, NULL, NULL);
err = http_session_new (&session, NULL,
((no_crl? HTTP_FLAG_NO_CRL : 0)
| HTTP_FLAG_TRUST_DEF),
NULL, NULL);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));