security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Activity

dirmngr: Support https for KS_FETCH. 

* dirmngr/ks-engine-hkp.c (cert_log_cb): Move to ...
* dirmngr/misc.c (cert_log_cb): here.
* dirmngr/ks-engine-http.c (ks_http_fetch): Support 307-redirection
and https.
--

Note that this requires that the root certificates are registered using
the --hkp-cacert option.  Eventually we may introduce a separate
option to allow using different CAs for KS_FETCH and keyserver based
requests.
This commit is contained in:
Werner Koch 2014-09-10 10:37:48 +02:00
parent 3b20cc21de
commit 84419f42da
4 changed files with 48 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
dirmngr/ks-engine-hkp.c
View File

@ -880,40 +880,6 @@ ks_hkp_housekeeping (time_t curtime)
} }
/* Callback to print infos about the TLS certificates. */
static void
cert_log_cb (http_session_t sess, gpg_error_t err,
const char *hostname, const void **certs, size_t *certlens)
{
ksba_cert_t cert;
size_t n;
(void)sess;
if (!err)
return; /* No error - no need to log anything */
log_debug ("expected hostname: %s\n", hostname);
for (n=0; certs[n]; n++)
{
err = ksba_cert_new (&cert);
if (!err)
err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]);
if (err)
log_error ("error parsing cert for logging: %s\n", gpg_strerror (err));
else
{
char textbuf[20];
snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n);
dump_cert (textbuf, cert);
}
ksba_cert_release (cert);
}
}
/* Send an HTTP request. On success returns an estream object at /* Send an HTTP request. On success returns an estream object at
R_FP. HOSTPORTSTR is only used for diagnostics. If HTTPHOST is R_FP. HOSTPORTSTR is only used for diagnostics. If HTTPHOST is
not NULL it will be used as HTTP "Host" header. If POST_CB is not not NULL it will be used as HTTP "Host" header. If POST_CB is not

12
dirmngr/ks-engine-http.c
View File

@ -38,6 +38,7 @@ ks_http_help (ctrl_t ctrl, parsed_uri_t uri)
const char const data[] = const char const data[] =
"Handler for HTTP URLs:\n" "Handler for HTTP URLs:\n"
" http://\n" " http://\n"
" https://\n"
"Supported methods: fetch\n"; "Supported methods: fetch\n";
gpg_error_t err; gpg_error_t err;
@ -58,11 +59,17 @@ gpg_error_t
ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
{ {
gpg_error_t err; gpg_error_t err;
http_session_t session = NULL;
http_t http = NULL; http_t http = NULL;
int redirects_left = MAX_REDIRECTS; int redirects_left = MAX_REDIRECTS;
estream_t fp = NULL; estream_t fp = NULL;
char *request_buffer = NULL; char *request_buffer = NULL;
err = http_session_new (&session, NULL);
if (err)
goto leave;
http_session_set_log_cb (session, cert_log_cb);
*r_fp = NULL; *r_fp = NULL;
once_more: once_more:
err = http_open (&http, err = http_open (&http,
@ -72,7 +79,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
/* fixme: AUTH */ NULL, /* fixme: AUTH */ NULL,
0, 0,
/* fixme: proxy*/ NULL, /* fixme: proxy*/ NULL,
NULL, NULL, session,
NULL,
/*FIXME curl->srvtag*/NULL); /*FIXME curl->srvtag*/NULL);
if (!err) if (!err)
{ {
@ -112,6 +120,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
case 301: case 301:
case 302: case 302:
case 307:
{ {
const char *s = http_get_header (http, "Location"); const char *s = http_get_header (http, "Location");
@ -157,6 +166,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
leave: leave:
http_close (http, 0); http_close (http, 0);
http_session_release (session);
xfree (request_buffer); xfree (request_buffer);
return err; return err;
} }

33
dirmngr/misc.c
View File

@ -384,6 +384,39 @@ cert_log_subject (const char *text, ksba_cert_t cert)
} }
/* Callback to print infos about the TLS certificates. */
void
cert_log_cb (http_session_t sess, gpg_error_t err,
const char *hostname, const void **certs, size_t *certlens)
{
ksba_cert_t cert;
size_t n;
(void)sess;
if (!err)
return; /* No error - no need to log anything */
log_debug ("expected hostname: %s\n", hostname);
for (n=0; certs[n]; n++)
{
err = ksba_cert_new (&cert);
if (!err)
err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]);
if (err)
log_error ("error parsing cert for logging: %s\n", gpg_strerror (err));
else
{
char textbuf[20];
snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n);
dump_cert (textbuf, cert);
}
ksba_cert_release (cert);
}
}
/**************** /****************
* Remove all %xx escapes; this is done inplace. * Remove all %xx escapes; this is done inplace.
* Returns: New length of the string. * Returns: New length of the string.

4
dirmngr/misc.h
View File

@ -68,6 +68,10 @@ void dump_string (const char *string);
TEXT. This is used for debugging. */ TEXT. This is used for debugging. */
void dump_cert (const char *text, ksba_cert_t cert); void dump_cert (const char *text, ksba_cert_t cert);
/* Callback to print infos about the TLS certificates. */
void cert_log_cb (http_session_t sess, gpg_error_t err,
const char *hostname, const void **certs, size_t *certlens);
/* Return the host name and the port (0 if none was given) from the /* Return the host name and the port (0 if none was given) from the
URL. Return NULL on error or if host is not included in the URL. Return NULL on error or if host is not included in the
URL. */ URL. */