From df692a6167be5486f9a29da003a00292fd895176 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 18 Sep 2017 22:49:05 +0200 Subject: [PATCH] dirmngr: Use system certs if --hkp-cacert is not used. * dirmngr/certcache.c (any_cert_of_class): New var. (put_cert): Set it. (cert_cache_deinit): Clear it. (cert_cache_any_in_class): New func. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Add hack to override empty list of HKP certs. -- This patch carries the changes for GNUTLS from commit 7c1613d41566f7d8db116790087de323621205fe over to NTBTLS. NTBTLS works quite different and thus we need to do it this way. Signed-off-by: Werner Koch --- dirmngr/certcache.c | 18 +++++++++++++++++- dirmngr/certcache.h | 3 +++ dirmngr/http-ntbtls.c | 6 ++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c index b4e538131..56629fdda 100644 --- a/dirmngr/certcache.c +++ b/dirmngr/certcache.c @@ -94,6 +94,10 @@ static int initialization_done; /* Total number of non-permanent certificates. */ static unsigned int total_nonperm_certificates; +/* For each cert class the corresponding bit is set if at least one + * certificate of that class is loaded permanetly. */ +static unsigned int any_cert_of_class; + #ifdef HAVE_W32_SYSTEM /* We load some functions dynamically. Provide typedefs for tehse @@ -343,7 +347,9 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass, ci->permanent = !!permanent; ci->trustclasses = trustclass; - if (!permanent) + if (permanent) + any_cert_of_class |= trustclass; + else total_nonperm_certificates++; return 0; @@ -758,6 +764,7 @@ cert_cache_deinit (int full) } total_nonperm_certificates = 0; + any_cert_of_class = 0; initialization_done = 0; release_cache_lock (); } @@ -814,6 +821,15 @@ cert_cache_print_stats (void) } +/* Return true if any cert of a class in MASK is permanently + * loaded. */ +int +cert_cache_any_in_class (unsigned int mask) +{ + return !!(any_cert_of_class & mask); +} + + /* Put CERT into the certificate cache. */ gpg_error_t cache_cert (ksba_cert_t cert) diff --git a/dirmngr/certcache.h b/dirmngr/certcache.h index 92529bf11..8d645836d 100644 --- a/dirmngr/certcache.h +++ b/dirmngr/certcache.h @@ -39,6 +39,9 @@ void cert_cache_deinit (int full); /* Print some statistics to the log file. */ void cert_cache_print_stats (void); +/* Return true if any cert of a class in MASK is permanently loaded. */ +int cert_cache_any_in_class (unsigned int mask); + /* Compute the fingerprint of the certificate CERT and put it into the 20 bytes large buffer DIGEST. Return address of this buffer. */ unsigned char *cert_compute_fpr (ksba_cert_t cert, unsigned char *digest); diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c index 250db556c..ea66a4d73 100644 --- a/dirmngr/http-ntbtls.c +++ b/dirmngr/http-ntbtls.c @@ -91,6 +91,12 @@ gnupg_http_tls_verify_cb (void *opaque, validate_flags |= VALIDATE_FLAG_TRUST_HKP; if ((http_flags & HTTP_FLAG_TRUST_SYS)) validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM; + + /* If HKP trust is requested and there are no HKP certificates + * configured, also try thye standard system certificates. */ + if ((validate_flags & VALIDATE_FLAG_TRUST_HKP) + && !cert_cache_any_in_class (CERTTRUST_CLASS_HKP)) + validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM; } if ((http_flags & HTTP_FLAG_NO_CRL))