From 84419f42da0fd436a9e0e669730157e74ce38b77 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 10 Sep 2014 10:37:48 +0200
Subject: [PATCH] dirmngr: Support https for KS_FETCH.

* dirmngr/ks-engine-hkp.c (cert_log_cb): Move to ...
* dirmngr/misc.c (cert_log_cb): here.
* dirmngr/ks-engine-http.c (ks_http_fetch): Support 307-redirection
and https.
--

Note that this requires that the root certificates are registered using
the --hkp-cacert option.  Eventually we may introduce a separate
option to allow using different CAs for KS_FETCH and keyserver based
requests.
---
 dirmngr/ks-engine-hkp.c  | 34 ----------------------------------
 dirmngr/ks-engine-http.c | 12 +++++++++++-
 dirmngr/misc.c           | 33 +++++++++++++++++++++++++++++++++
 dirmngr/misc.h           |  4 ++++
 4 files changed, 48 insertions(+), 35 deletions(-)

diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 762ab4ab0..12b1778c6 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -880,40 +880,6 @@ ks_hkp_housekeeping (time_t curtime)
 }
 
 
-/* Callback to print infos about the TLS certificates.  */
-static void
-cert_log_cb (http_session_t sess, gpg_error_t err,
-             const char *hostname, const void **certs, size_t *certlens)
-{
-  ksba_cert_t cert;
-  size_t n;
-
-  (void)sess;
-
-  if (!err)
-    return; /* No error - no need to log anything  */
-
-  log_debug ("expected hostname: %s\n", hostname);
-  for (n=0; certs[n]; n++)
-    {
-      err = ksba_cert_new (&cert);
-      if (!err)
-        err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]);
-      if (err)
-        log_error ("error parsing cert for logging: %s\n", gpg_strerror (err));
-      else
-        {
-          char textbuf[20];
-          snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n);
-          dump_cert (textbuf, cert);
-        }
-
-      ksba_cert_release (cert);
-    }
-}
-
-
-
 /* Send an HTTP request.  On success returns an estream object at
    R_FP.  HOSTPORTSTR is only used for diagnostics.  If HTTPHOST is
    not NULL it will be used as HTTP "Host" header.  If POST_CB is not
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index aed3aaa84..e4c2b788b 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -38,6 +38,7 @@ ks_http_help (ctrl_t ctrl, parsed_uri_t uri)
   const char const data[] =
     "Handler for HTTP URLs:\n"
     "  http://\n"
+    "  https://\n"
     "Supported methods: fetch\n";
   gpg_error_t err;
 
@@ -58,11 +59,17 @@ gpg_error_t
 ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
 {
   gpg_error_t err;
+  http_session_t session = NULL;
   http_t http = NULL;
   int redirects_left = MAX_REDIRECTS;
   estream_t fp = NULL;
   char *request_buffer = NULL;
 
+  err = http_session_new (&session, NULL);
+  if (err)
+    goto leave;
+  http_session_set_log_cb (session, cert_log_cb);
+
   *r_fp = NULL;
  once_more:
   err = http_open (&http,
@@ -72,7 +79,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
                    /* fixme: AUTH */ NULL,
                    0,
                    /* fixme: proxy*/ NULL,
-                   NULL, NULL,
+                   session,
+                   NULL,
                    /*FIXME curl->srvtag*/NULL);
   if (!err)
     {
@@ -112,6 +120,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
 
     case 301:
     case 302:
+    case 307:
       {
         const char *s = http_get_header (http, "Location");
 
@@ -157,6 +166,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
 
  leave:
   http_close (http, 0);
+  http_session_release (session);
   xfree (request_buffer);
   return err;
 }
diff --git a/dirmngr/misc.c b/dirmngr/misc.c
index 0bca5ee9a..25652a252 100644
--- a/dirmngr/misc.c
+++ b/dirmngr/misc.c
@@ -384,6 +384,39 @@ cert_log_subject (const char *text, ksba_cert_t cert)
 }
 
 
+/* Callback to print infos about the TLS certificates.  */
+void
+cert_log_cb (http_session_t sess, gpg_error_t err,
+             const char *hostname, const void **certs, size_t *certlens)
+{
+  ksba_cert_t cert;
+  size_t n;
+
+  (void)sess;
+
+  if (!err)
+    return; /* No error - no need to log anything  */
+
+  log_debug ("expected hostname: %s\n", hostname);
+  for (n=0; certs[n]; n++)
+    {
+      err = ksba_cert_new (&cert);
+      if (!err)
+        err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]);
+      if (err)
+        log_error ("error parsing cert for logging: %s\n", gpg_strerror (err));
+      else
+        {
+          char textbuf[20];
+          snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n);
+          dump_cert (textbuf, cert);
+        }
+
+      ksba_cert_release (cert);
+    }
+}
+
+
 /****************
  * Remove all %xx escapes; this is done inplace.
  * Returns: New length of the string.
diff --git a/dirmngr/misc.h b/dirmngr/misc.h
index 928bf78ae..2dc298557 100644
--- a/dirmngr/misc.h
+++ b/dirmngr/misc.h
@@ -68,6 +68,10 @@ void dump_string (const char *string);
    TEXT.  This is used for debugging. */
 void dump_cert (const char *text, ksba_cert_t cert);
 
+/* Callback to print infos about the TLS certificates.  */
+void cert_log_cb (http_session_t sess, gpg_error_t err,
+                  const char *hostname, const void **certs, size_t *certlens);
+
 /* Return the host name and the port (0 if none was given) from the
    URL.  Return NULL on error or if host is not included in the
    URL.  */