dirmngr: Support https for KS_FETCH.

* dirmngr/ks-engine-hkp.c (cert_log_cb): Move to ... * dirmngr/misc.c (cert_log_cb): here. * dirmngr/ks-engine-http.c (ks_http_fetch): Support 307-redirection and https. -- Note that this requires that the root certificates are registered using the --hkp-cacert option. Eventually we may introduce a separate option to allow using different CAs for KS_FETCH and keyserver based requests.
2014-09-10 10:37:48 +02:00 · 2014-09-10 10:37:48 +02:00 · 84419f42da
parent 3b20cc21de
commit 84419f42da
4 changed files with 48 additions and 35 deletions
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@ -880,40 +880,6 @@ ks_hkp_housekeeping (time_t curtime)
 }


-/* Callback to print infos about the TLS certificates.  */
-static void
-cert_log_cb (http_session_t sess, gpg_error_t err,
-             const char *hostname, const void **certs, size_t *certlens)
-{
-  ksba_cert_t cert;
-  size_t n;
-
-  (void)sess;
-
-  if (!err)
-    return; /* No error - no need to log anything  */
-
-  log_debug ("expected hostname: %s\n", hostname);
-  for (n=0; certs[n]; n++)
-    {
-      err = ksba_cert_new (&cert);
-      if (!err)
-        err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]);
-      if (err)
-        log_error ("error parsing cert for logging: %s\n", gpg_strerror (err));
-      else
-        {
-          char textbuf[20];
-          snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n);
-          dump_cert (textbuf, cert);
-        }
-
-      ksba_cert_release (cert);
-    }
-}
-
-
-
 /* Send an HTTP request.  On success returns an estream object at
   R_FP.  HOSTPORTSTR is only used for diagnostics.  If HTTPHOST is
   not NULL it will be used as HTTP "Host" header.  If POST_CB is not
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@ -38,6 +38,7 @@ ks_http_help (ctrl_t ctrl, parsed_uri_t uri)
  const char const data[] =
    "Handler for HTTP URLs:\n"
    "  http://\n"
+    "  https://\n"
    "Supported methods: fetch\n";
  gpg_error_t err;

@ -58,11 +59,17 @@ gpg_error_t
 ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
 {
  gpg_error_t err;
+  http_session_t session = NULL;
  http_t http = NULL;
  int redirects_left = MAX_REDIRECTS;
  estream_t fp = NULL;
  char *request_buffer = NULL;

+  err = http_session_new (&session, NULL);
+  if (err)
+    goto leave;
+  http_session_set_log_cb (session, cert_log_cb);
+
  *r_fp = NULL;
 once_more:
  err = http_open (&http,
@ -72,7 +79,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
                   /* fixme: AUTH */ NULL,
                   0,
                   /* fixme: proxy*/ NULL,
-                   NULL, NULL,
+                   session,
+                   NULL,
                   /*FIXME curl->srvtag*/NULL);
  if (!err)
    {
@ -112,6 +120,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)

    case 301:
    case 302:
+    case 307:
      {
        const char *s = http_get_header (http, "Location");

@ -157,6 +166,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)

 leave:
  http_close (http, 0);
+  http_session_release (session);
  xfree (request_buffer);
  return err;
 }
--- a/dirmngr/misc.c
+++ b/dirmngr/misc.c
@ -384,6 +384,39 @@ cert_log_subject (const char *text, ksba_cert_t cert)
 }


+/* Callback to print infos about the TLS certificates.  */
+void
+cert_log_cb (http_session_t sess, gpg_error_t err,
+             const char *hostname, const void **certs, size_t *certlens)
+{
+  ksba_cert_t cert;
+  size_t n;
+
+  (void)sess;
+
+  if (!err)
+    return; /* No error - no need to log anything  */
+
+  log_debug ("expected hostname: %s\n", hostname);
+  for (n=0; certs[n]; n++)
+    {
+      err = ksba_cert_new (&cert);
+      if (!err)
+        err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]);
+      if (err)
+        log_error ("error parsing cert for logging: %s\n", gpg_strerror (err));
+      else
+        {
+          char textbuf[20];
+          snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n);
+          dump_cert (textbuf, cert);
+        }
+
+      ksba_cert_release (cert);
+    }
+}
+
+
 /****************
 * Remove all %xx escapes; this is done inplace.
 * Returns: New length of the string.
--- a/dirmngr/misc.h
+++ b/dirmngr/misc.h
@ -68,6 +68,10 @@ void dump_string (const char *string);
   TEXT.  This is used for debugging. */
 void dump_cert (const char *text, ksba_cert_t cert);

+/* Callback to print infos about the TLS certificates.  */
+void cert_log_cb (http_session_t sess, gpg_error_t err,
+                  const char *hostname, const void **certs, size_t *certlens);
+
 /* Return the host name and the port (0 if none was given) from the
   URL.  Return NULL on error or if host is not included in the
   URL.  */