security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

Merge branch 'master' into gniibe/t6275

Browse source
This commit is contained in:
NIIBE Yutaka 2023-01-24 15:29:51 +09:00
commit 8e2207ecb9
No known key found for this signature in database
GPG key ID: 640114AF89DE6054
104 changed files with 2231 additions and 1412 deletions
Download patch file Download diff file Expand all files Collapse all files

4
dirmngr/Makefile.am
View file

@ -93,7 +93,7 @@ dirmngr_LDADD = $(libcommonpth) \
if USE_LDAP
dirmngr_LDADD += $(ldaplibs) $(LBER_LIBS)
endif
dirmngr_LDFLAGS = $(extra_bin_ldflags)
dirmngr_LDFLAGS =
if USE_LDAP
dirmngr_ldap_SOURCES = dirmngr_ldap.c ldap-misc.c ldap-misc.h $(ldap_url)
@ -108,7 +108,7 @@ dirmngr_client_SOURCES = dirmngr-client.c
dirmngr_client_LDADD = $(libcommon) \
$(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) \
$(LIBGCRYPT_LIBS) $(NETLIBS) $(LIBINTL) $(LIBICONV)
dirmngr_client_LDFLAGS = $(extra_bin_ldflags)
dirmngr_client_LDFLAGS =
t_common_src = t-support.h t-support.c

23
dirmngr/dirmngr.c
View file

@ -886,7 +886,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
/* This function is called after option parsing to adjust some values
* and call option setup functions. */
static void
post_option_parsing (void)
post_option_parsing (enum cmd_and_opt_values cmd)
{
/* It would be too surpirsing if the quick timeout is larger than
* the standard value. */
@ -894,6 +894,18 @@ post_option_parsing (void)
opt.connect_quick_timeout = opt.connect_timeout;
set_debug ();
/* For certain commands we do not want to set/test for Tor mode
* because that is somewhat expensive. */
switch (cmd)
{
case aGPGConfList:
case aGPGConfTest:
case aGPGConfVersions:
break;
default:
set_tor_mode ();
break;
}
}
@ -1214,12 +1226,7 @@ main (int argc, char **argv)
log_printf ("\n");
}
/* Note that we do not run set_tor_mode in --gpgconf-list mode
* because it will attempt to connect to the tor client and that can
* be time consuming. */
post_option_parsing ();
if (cmd != aGPGConfTest && cmd != aGPGConfList && cmd != aGPGConfVersions)
set_tor_mode ();
post_option_parsing (cmd);
/* Get LDAP server list from file unless --ldapserver has been used. */
#if USE_LDAP
@ -1965,7 +1972,7 @@ reread_configuration (void)
}
gpgrt_argparse (NULL, &pargs, NULL); /* Release internal state. */
xfree (twopart);
post_option_parsing ();
post_option_parsing (0);
finish:
/* Get a default log file from common.conf. */

69
dirmngr/ocsp.c
View file

@ -650,10 +650,13 @@ check_signature (ctrl_t ctrl,
/* Check whether the certificate either given by fingerprint CERT_FPR
or directly through the CERT object is valid by running an OCSP
transaction. With FORCE_DEFAULT_RESPONDER set only the configured
default responder is used. */
default responder is used. If R_REVOKED_AT or R_REASON are not
NULL and the certificat has been revoked the revocation time and
the reasons are stored there. */
gpg_error_t
ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
int force_default_responder)
int force_default_responder, ksba_isotime_t r_revoked_at,
const char **r_reason)
{
gpg_error_t err;
ksba_ocsp_t ocsp = NULL;
@ -672,6 +675,12 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
char *oid;
ksba_name_t name;
fingerprint_list_t default_signer = NULL;
const char *sreason;
if (r_revoked_at)
*r_revoked_at = 0;
if (r_reason)
*r_reason = NULL;
/* Get the certificate. */
if (cert)
@ -842,8 +851,36 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
more important message than the failure of our
cache. */
}
}
switch (reason)
{
case KSBA_CRLREASON_UNSPECIFIED:
sreason = "unspecified"; break;
case KSBA_CRLREASON_KEY_COMPROMISE:
sreason = "key compromise"; break;
case KSBA_CRLREASON_CA_COMPROMISE:
sreason = "CA compromise"; break;
case KSBA_CRLREASON_AFFILIATION_CHANGED:
sreason = "affiliation changed"; break;
case KSBA_CRLREASON_SUPERSEDED:
sreason = "superseded"; break;
case KSBA_CRLREASON_CESSATION_OF_OPERATION:
sreason = "cessation of operation"; break;
case KSBA_CRLREASON_CERTIFICATE_HOLD:
sreason = "certificate on hold"; break;
case KSBA_CRLREASON_REMOVE_FROM_CRL:
sreason = "removed from CRL"; break;
case KSBA_CRLREASON_PRIVILEGE_WITHDRAWN:
sreason = "privilege withdrawn"; break;
case KSBA_CRLREASON_AA_COMPROMISE:
sreason = "AA compromise"; break;
case KSBA_CRLREASON_OTHER:
sreason = "other"; break;
default: sreason = "?"; break;
}
}
else
sreason = "";
if (opt.verbose)
{
@ -855,29 +892,19 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
this_update, next_update);
if (status == KSBA_STATUS_REVOKED)
log_info (_("certificate has been revoked at: %s due to: %s\n"),
revocation_time,
reason == KSBA_CRLREASON_UNSPECIFIED? "unspecified":
reason == KSBA_CRLREASON_KEY_COMPROMISE? "key compromise":
reason == KSBA_CRLREASON_CA_COMPROMISE? "CA compromise":
reason == KSBA_CRLREASON_AFFILIATION_CHANGED?
"affiliation changed":
reason == KSBA_CRLREASON_SUPERSEDED? "superseded":
reason == KSBA_CRLREASON_CESSATION_OF_OPERATION?
"cessation of operation":
reason == KSBA_CRLREASON_CERTIFICATE_HOLD?
"certificate on hold":
reason == KSBA_CRLREASON_REMOVE_FROM_CRL?
"removed from CRL":
reason == KSBA_CRLREASON_PRIVILEGE_WITHDRAWN?
"privilege withdrawn":
reason == KSBA_CRLREASON_AA_COMPROMISE? "AA compromise":
reason == KSBA_CRLREASON_OTHER? "other":"?");
revocation_time, sreason);
}
if (status == KSBA_STATUS_REVOKED)
err = gpg_error (GPG_ERR_CERT_REVOKED);
{
err = gpg_error (GPG_ERR_CERT_REVOKED);
if (r_revoked_at)
gnupg_copy_time (r_revoked_at, revocation_time);
if (r_reason)
*r_reason = sreason;
}
else if (status == KSBA_STATUS_UNKNOWN)
err = gpg_error (GPG_ERR_NO_DATA);
else if (status != KSBA_STATUS_GOOD)

4
dirmngr/ocsp.h
View file

@ -23,7 +23,9 @@
#define OCSP_H
gpg_error_t ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
int force_default_responder);
int force_default_responder,
gnupg_isotime_t r_revoked_at,
const char **r_reason);
/* Release the list of OCSP certificates hold in the CTRL object. */
void release_ctrl_ocsp_certs (ctrl_t ctrl);

22
dirmngr/server.c
View file

@ -1310,6 +1310,9 @@ cmd_isvalid (assuan_context_t ctx, char *line)
again:
if (ocsp_mode)
{
gnupg_isotime_t revoked_at;
const char *reason;
/* Note, that we currently ignore the supplied fingerprint FPR;
* instead ocsp_isvalid does an inquire to ask for the cert.
* The fingerprint may eventually be used to lookup the
@ -1317,7 +1320,12 @@ cmd_isvalid (assuan_context_t ctx, char *line)
if (!opt.allow_ocsp)
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
else
err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder);
err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder,
revoked_at, &reason);
if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED)
dirmngr_status_printf (ctrl, "REVOCATIONINFO", "%s %s",
revoked_at, reason);
if (gpg_err_code (err) == GPG_ERR_CONFIGURATION
&& gpg_err_source (err) == GPG_ERR_SOURCE_DIRMNGR)
@ -1512,6 +1520,8 @@ cmd_checkocsp (assuan_context_t ctx, char *line)
unsigned char fprbuffer[20], *fpr;
ksba_cert_t cert;
int force_default_responder;
gnupg_isotime_t revoked_at;
const char *reason;
force_default_responder = has_option (line, "--force-default-responder");
line = skip_options (line);
@ -1547,12 +1557,18 @@ cmd_checkocsp (assuan_context_t ctx, char *line)
goto leave;
}
assert (cert);
log_assert (cert);
if (!opt.allow_ocsp)
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
else
err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder);
err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder,
revoked_at, &reason);
if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED)
dirmngr_status_printf (ctrl, "REVOCATIONINFO", "%s %s",
revoked_at, reason);
leave:
ksba_cert_release (cert);