security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

dirmngr: First take on ntbtls cert verification.

Browse source 
* dirmngr/http-ntbtls.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add file.
* dirmngr/dirmngr.h (SERVER_CONTROL_MAGIC): New.
(server_conrol_s): Add field 'magic',
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set MAGIC.
(dirmngr_deinit_default_ctrl): Set MAGIC to deadbeef.
* dirmngr/http.c (my_ntbtls_verify_cb): New.
(http_session_new) [HTTP_USE_NTBTLS]: Remove all CA setting code.
(send_request) [HTTP_USE_NTBTLS]: Set the verify callback.  Do not call
the verify callback after the handshake.
* dirmngr/ks-engine-hkp.c (send_request): Pass
gnupg_http_tls_verify_cb to http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.

* dirmngr/t-http.c (my_http_tls_verify_cb): New.
(main): Rename option --gnutls-debug to --tls-debug.
(main) [HTTP_USE_NTBTLS]: Create a session.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-02-19 10:36:43 +01:00
parent a74902cccd
commit 64fffd0ce2
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
8 changed files with 233 additions and 93 deletions
Download patch file Download diff file Expand all files Collapse all files

121
dirmngr/http.c
View file

@ -413,6 +413,21 @@ my_gnutls_write (gnutls_transport_ptr_t ptr, const void *buffer, size_t size)
#endif /*HTTP_USE_GNUTLS*/
#ifdef HTTP_USE_NTBTLS
/* Connect the ntbls callback to our generic callback. */
static gpg_error_t
my_ntbtls_verify_cb (void *opaque, ntbtls_t tls, unsigned int verify_flags)
{
http_t hd = opaque;
log_assert (hd && hd->session && hd->session->verify_cb);
return hd->session->verify_cb (hd->session->verify_cb_value,
hd, hd->session,
(hd->flags | hd->session->flags),
tls);
}
#endif /*HTTP_USE_NTBTLS*/
/* This notification function is called by estream whenever stream is
@ -632,91 +647,16 @@ http_session_new (http_session_t *r_session,
#if HTTP_USE_NTBTLS
{
x509_cert_t ca_chain;
char line[256];
estream_t fp, mem_p;
size_t nread, nbytes;
struct b64state state;
void *buf;
size_t buflen;
char *pemname;
pemname = make_filename_try (gnupg_datadir (),
"sks-keyservers.netCA.pem", NULL);
if (!pemname)
{
err = gpg_error_from_syserror ();
log_error ("setting CA from file '%s' failed: %s\n",
pemname, gpg_strerror (err));
goto leave;
}
fp = es_fopen (pemname, "r");
if (!fp)
{
err = gpg_error_from_syserror ();
log_error ("can't open '%s': %s\n", pemname, gpg_strerror (err));
xfree (pemname);
goto leave;
}
xfree (pemname);
mem_p = es_fopenmem (0, "r+b");
err = b64dec_start (&state, "CERTIFICATE");
if (err)
{
log_error ("b64dec failure: %s\n", gpg_strerror (err));
goto leave;
}
while ( (nread = es_fread (line, 1, DIM (line), fp)) )
{
err = b64dec_proc (&state, line, nread, &nbytes);
if (err)
{
if (gpg_err_code (err) == GPG_ERR_EOF)
break;
log_error ("b64dec failure: %s\n", gpg_strerror (err));
es_fclose (fp);
es_fclose (mem_p);
goto leave;
}
else if (nbytes)
es_fwrite (line, 1, nbytes, mem_p);
}
err = b64dec_finish (&state);
if (err)
{
log_error ("b64dec failure: %s\n", gpg_strerror (err));
es_fclose (fp);
es_fclose (mem_p);
goto leave;
}
es_fclose_snatch (mem_p, &buf, &buflen);
es_fclose (fp);
err = ntbtls_x509_cert_new (&ca_chain);
if (err)
{
log_error ("ntbtls_x509_new failed: %s\n", gpg_strerror (err));
xfree (buf);
goto leave;
}
err = ntbtls_x509_append_cert (ca_chain, buf, buflen);
xfree (buf);
(void)intended_hostname; /* Not needed because we do not preload
* certificates. */
err = ntbtls_new (&sess->tls_session, NTBTLS_CLIENT);
if (err)
{
log_error ("ntbtls_new failed: %s\n", gpg_strerror (err));
ntbtls_x509_cert_release (ca_chain);
goto leave;
}
err = ntbtls_set_ca_chain (sess->tls_session, ca_chain, NULL);
}
#elif HTTP_USE_GNUTLS
{
@ -1819,6 +1759,21 @@ send_request (http_t hd, const char *httphost, const char *auth,
return err;
}
#ifdef HTTP_USE_NTBTLS
if (hd->session->verify_cb)
{
err = ntbtls_set_verify_cb (hd->session->tls_session,
my_ntbtls_verify_cb, hd);
if (err)
{
log_error ("ntbtls_set_verify_cb failed: %s\n",
gpg_strerror (err));
xfree (proxy_authstr);
return err;
}
}
#endif /*HTTP_USE_NTBTLS*/
while ((err = ntbtls_handshake (hd->session->tls_session)))
{
switch (err)
@ -1833,12 +1788,18 @@ send_request (http_t hd, const char *httphost, const char *auth,
hd->session->verify.done = 0;
/* Try the available verify callbacks until one returns success
* or a real error. */
* or a real error. Note that NTBTLS does the verification
* during the handshake via */
#ifdef HTTP_USE_NTBTLS
err = 0; /* Fixme check that the CB has been called. */
#else
err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
#endif
if (hd->session->verify_cb)
if (hd->session->verify_cb
&& gpg_err_source (err) == GPG_ERR_SOURCE_DIRMNGR
&& gpg_err_code (err) == GPG_ERR_NOT_IMPLEMENTED)
err = hd->session->verify_cb (hd->session->verify_cb_value,
hd, hd->session,
(hd->flags | hd->session->flags),