diff --git a/common/ChangeLog b/common/ChangeLog index 75c79c6f6..56e9712e2 100644 --- a/common/ChangeLog +++ b/common/ChangeLog @@ -1,3 +1,9 @@ +2009-07-23 Werner Koch + + * util.h (GPG_ERR_NOT_ENABLED): New. + * audit.h (enum): Add AUDIT_CRL_CHECK. + * audit.c (proc_type_verify): Show CRL check result. + 2009-07-06 Werner Koch * get-passphrase.c (struct agentargs): Add SESSION_ENV and remove diff --git a/common/audit.c b/common/audit.c index a3c5b80d5..436f0d25d 100644 --- a/common/audit.c +++ b/common/audit.c @@ -251,8 +251,8 @@ audit_log (audit_ctx_t ctx, audit_event_t event) } /* Add a new event to the audit log. If CTX is NULL, this function - does nothing. This version also adds the result of the oepration - to the log.. */ + does nothing. This version also adds the result of the operation + to the log. */ void audit_log_ok (audit_ctx_t ctx, audit_event_t event, gpg_error_t err) { @@ -479,6 +479,8 @@ writeout_li (audit_ctx_t ctx, const char *oktext, const char *format, ...) oktext = _("|audit-log-result|Not supported"); else if (!strcmp (oktext, "no-cert")) oktext = _("|audit-log-result|No certificate"); + else if (!strcmp (oktext, "disabled")) + oktext = _("|audit-log-result|Not enabled"); else if (!strcmp (oktext, "error")) oktext = _("|audit-log-result|Error"); else @@ -923,9 +925,31 @@ proc_type_verify (audit_ctx_t ctx) } /* Show result of the CRL/OCSP check. */ - writeout_li (ctx, "-", "%s", _("CRL/OCSP check of certificates")); - /* add_helptag (ctx, "gpgsm.ocsp-problem"); */ - + item = find_next_log_item (ctx, loopitem, + AUDIT_CRL_CHECK, AUDIT_NEW_SIG); + if (item) + { + const char *ok; + switch (gpg_err_code (item->err)) + { + case 0: ok = "good"; break; + case GPG_ERR_CERT_REVOKED: ok = "bad"; break; + case GPG_ERR_NOT_ENABLED: ok = "disabled"; break; + case GPG_ERR_NO_CRL_KNOWN: + ok = _("no CRL found for certificate"); + break; + case GPG_ERR_CRL_TOO_OLD: + ok = _("the available CRL is too old"); + break; + default: ok = gpg_strerror (item->err); break; + } + + writeout_li (ctx, ok, "%s", _("CRL/OCSP check of certificates")); + if (item->err + && gpg_err_code (item->err) != GPG_ERR_CERT_REVOKED + && gpg_err_code (item->err) != GPG_ERR_NOT_ENABLED) + add_helptag (ctx, "gpgsm.crl-problem"); + } leave_li (ctx); } diff --git a/common/audit.h b/common/audit.h index 85c2ffc25..491710706 100644 --- a/common/audit.h +++ b/common/audit.h @@ -139,6 +139,9 @@ typedef enum /* Tells whether the root certificate is trusted. This event is emmited durcing chain validation. */ + AUDIT_CRL_CHECK, /* err */ + /* Tells the status of a CRL or OCSP check. */ + AUDIT_GOT_RECIPIENTS, /* int */ /* Records the number of recipients to be used for encryption. This includes the recipients set by --encrypt-to but records 0 diff --git a/common/util.h b/common/util.h index 61b26f1de..3eed4eba8 100644 --- a/common/util.h +++ b/common/util.h @@ -25,6 +25,11 @@ #include /* We need errno. */ #include /* We need gpg_error_t. */ +/* Add error codes available only in newer versions of libgpg-error. */ +#ifndef GPG_ERR_NOT_ENABLED +#define GPG_ERR_NOT_ENABLED 179 +#endif + /* Hash function used with libksba. */ #define HASH_FNC ((void (*)(void *, const void*,size_t))gcry_md_write) diff --git a/doc/ChangeLog b/doc/ChangeLog index 04a137d34..5b4c0d0dd 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,7 @@ +2009-07-23 Werner Koch + + * help.txt (gpgsm.crl-problem): New. + 2009-07-22 Werner Koch * scdaemon.texi, instguide.texi, gpgsm.texi, sysnotes.texi diff --git a/doc/DETAILS b/doc/DETAILS index 39554a27c..cf940c0b3 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -628,12 +628,12 @@ more arguments in future versions. This is used to control smartcard operations. Defined values for WHAT are: 1 = Request insertion of a card. Serialnumber may be given - to request a specific card. - 2 = Request removal of a card. + to request a specific card. Used by gpg 1.4 w/o scdaemon. + 2 = Request removal of a card. Used by gpg 1.4 w/o scdaemon. 3 = Card with serialnumber detected 4 = No card available. 5 = No card reader available - + 6 = No card support available PLAINTEXT This indicates the format of the plaintext that is about to be diff --git a/doc/help.txt b/doc/help.txt index e186e27e8..36b993de5 100644 --- a/doc/help.txt +++ b/doc/help.txt @@ -357,7 +357,13 @@ trustlist.txt in GnuPG's home directory. If you are in doubt, ask your system administrator whether you should trust this certificate. - +.gpgsm.crl-problem +# This tex is displayed by the audit log for problems with +# the CRL or OCSP checking. +Depending on your configuration a problem retrieving the CRL or +performing an OCSP check occurred. There are a great variety of +reasons why this did not work. Check the manual for possible +solutions. # Local variables: diff --git a/g10/keygen.c b/g10/keygen.c index 91c990c08..38d78073f 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -1759,7 +1759,7 @@ ask_algo (int addmode, int *r_subkey_algo, unsigned int *r_usage) } -/* Ask for the key size. ALGO is the algorithjm. If PRIMARY_KEYSIZE +/* Ask for the key size. ALGO is the algorithm. If PRIMARY_KEYSIZE is not 0, the function asks for the size of the encryption subkey. */ static unsigned diff --git a/sm/ChangeLog b/sm/ChangeLog index 954f88ea5..b50703e4b 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,7 @@ +2009-07-23 Werner Koch + + * certchain.c (is_cert_still_valid): Emit AUDIT_CRL_CHECK. + 2009-07-07 Werner Koch * server.c (command_has_option): New. diff --git a/sm/certchain.c b/sm/certchain.c index ddf4ece8f..e9a1aadfa 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -889,11 +889,17 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, gpg_error_t err; if (opt.no_crl_check && !ctrl->use_ocsp) - return 0; + { + audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, + gpg_error (GPG_ERR_NOT_ENABLED)); + return 0; + } err = gpgsm_dirmngr_isvalid (ctrl, subject_cert, issuer_cert, force_ocsp? 2 : !!ctrl->use_ocsp); + audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, err); + if (err) { if (!lm)