dirmngr: Use system certs if --hkp-cacert is not used.

* dirmngr/certcache.c (any_cert_of_class): New var. (put_cert): Set it. (cert_cache_deinit): Clear it. (cert_cache_any_in_class): New func. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Add hack to override empty list of HKP certs. -- This patch carries the changes for GNUTLS from commit 7c1613d41566f7d8db116790087de323621205fe over to NTBTLS. NTBTLS works quite different and thus we need to do it this way. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-02-01 16:33:02 +01:00 · 2017-09-18 22:49:05 +02:00 · 2017-09-18 22:49:05 +02:00 · df692a6167
commit df692a6167
parent 9588dd116c
3 changed files with 26 additions and 1 deletions
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@ -94,6 +94,10 @@ static int initialization_done;
 /* Total number of non-permanent certificates.  */
 static unsigned int total_nonperm_certificates;

+/* For each cert class the corresponding bit is set if at least one
+ * certificate of that class is loaded permanetly.  */
+static unsigned int any_cert_of_class;
+

 #ifdef HAVE_W32_SYSTEM
 /* We load some functions dynamically.  Provide typedefs for tehse
@ -343,7 +347,9 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
  ci->permanent = !!permanent;
  ci->trustclasses = trustclass;

-  if (!permanent)
+  if (permanent)
+    any_cert_of_class |= trustclass;
+  else
    total_nonperm_certificates++;

  return 0;
@ -758,6 +764,7 @@ cert_cache_deinit (int full)
    }

  total_nonperm_certificates = 0;
+  any_cert_of_class = 0;
  initialization_done = 0;
  release_cache_lock ();
 }
@ -814,6 +821,15 @@ cert_cache_print_stats (void)
 }


+/* Return true if any cert of a class in MASK is permanently
+ * loaded.  */
+int
+cert_cache_any_in_class (unsigned int mask)
+{
+  return !!(any_cert_of_class & mask);
+}
+
+
 /* Put CERT into the certificate cache.  */
 gpg_error_t
 cache_cert (ksba_cert_t cert)
--- a/dirmngr/certcache.h
+++ b/dirmngr/certcache.h
@ -39,6 +39,9 @@ void cert_cache_deinit (int full);
 /* Print some statistics to the log file.  */
 void cert_cache_print_stats (void);

+/* Return true if any cert of a class in MASK is permanently loaded.  */
+int cert_cache_any_in_class (unsigned int mask);
+
 /* Compute the fingerprint of the certificate CERT and put it into
   the 20 bytes large buffer DIGEST.  Return address of this buffer.  */
 unsigned char *cert_compute_fpr (ksba_cert_t cert, unsigned char *digest);
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@ -91,6 +91,12 @@ gnupg_http_tls_verify_cb (void *opaque,
        validate_flags |= VALIDATE_FLAG_TRUST_HKP;
      if ((http_flags & HTTP_FLAG_TRUST_SYS))
        validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
+
+      /* If HKP trust is requested and there are no HKP certificates
+       * configured, also try thye standard system certificates.  */
+      if ((validate_flags & VALIDATE_FLAG_TRUST_HKP)
+          && !cert_cache_any_in_class (CERTTRUST_CLASS_HKP))
+        validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
    }

  if ((http_flags & HTTP_FLAG_NO_CRL))