security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-03-11 22:52:47 +01:00
Code Activity

dirmngr: Register hkp-cacert even if the file doesn't exist yet

Browse Source 
* dirmngr/dirmngr.c (parse_readable_options): If we're unable to turn
an argument for hkp-cacert into an absolute filename, terminate
completely.
* dirmngr/http.c (http_register_tls_ca): Show a warning if file is not
immediately accessible, but register it anyway.

--

Without this changeset, the condition of the filesystem when dirmngr
is initialized will have an effect on later activities of dirmngr.

For example, if a file identified by a hkp-cacert directive doesn't
exist when dirmngr starts, dirmngr will behave as though it simply
didn't have the hkp-cacert directive set at all, even if the file
should appear later.

dirmngr currently behaves differently if no hkp-cacert directives have
been set then it does when at least one hkp-cacert directive has been
set.  For example, its choice of CA cert for
hkps://hkps.pool.sks-keyservers.net depends on whether a TLS CA file
has been registered.  That behavior shouldn't additionally depend on
the state of the filesystem at the time of dirmngr launch.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
This commit is contained in:
Daniel Kahn Gillmor 2016-10-27 18:30:57 -04:00 committed by Werner Koch
parent 5210ff70bc
commit c4e02a3b7a
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
dirmngr/dirmngr.c
View File

@ -611,15 +611,9 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
{ {
char *tmpname; char *tmpname;
/* Do tilde expansion and print a warning if the file can't be /* Do tilde expansion and make path absolute. */
accessed. */ tmpname = make_absfilename (pargs->r.ret_str, NULL);
tmpname = make_absfilename_try (pargs->r.ret_str, NULL); http_register_tls_ca (tmpname);
if (!tmpname || access (tmpname, F_OK))
log_info (_("can't access '%s': %s\n"),
tmpname? tmpname : pargs->r.ret_str,
gpg_strerror (gpg_error_from_syserror()));
else
http_register_tls_ca (tmpname);
xfree (tmpname); xfree (tmpname);
} }
break; break;

5
dirmngr/http.c
View File

@ -495,6 +495,11 @@ http_register_tls_ca (const char *fname)
} }
else else
{ {
/* Warn if we can't access right now, but register it anyway in
case it becomes accessible later */
if (access (fname, F_OK))
log_info (_("can't access '%s': %s\n"), fname,
gpg_strerror (gpg_error_from_syserror()));
sl = add_to_strlist (&tls_ca_certlist, fname); sl = add_to_strlist (&tls_ca_certlist, fname);
if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem")) if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem"))
sl->flags = 1; sl->flags = 1;