security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-02-01 16:33:02 +01:00
Code Activity

dirmngr: Use system certs if --hkp-cacert is not used.

Browse Source 
* dirmngr/certcache.c (any_cert_of_class): New var.
(put_cert): Set it.
(cert_cache_deinit): Clear it.
(cert_cache_any_in_class): New func.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Add hack to
override empty list of HKP certs.
--

This patch carries the changes for GNUTLS from commit
7c1613d41566f7d8db116790087de323621205fe over to NTBTLS.  NTBTLS works
quite different and thus we need to do it this way.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-09-18 22:49:05 +02:00
parent 9588dd116c
commit df692a6167
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
3 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
dirmngr/certcache.c
View File

@ -94,6 +94,10 @@ static int initialization_done;
/* Total number of non-permanent certificates. */ /* Total number of non-permanent certificates. */
static unsigned int total_nonperm_certificates; static unsigned int total_nonperm_certificates;
/* For each cert class the corresponding bit is set if at least one
* certificate of that class is loaded permanetly. */
static unsigned int any_cert_of_class;
#ifdef HAVE_W32_SYSTEM #ifdef HAVE_W32_SYSTEM
/* We load some functions dynamically. Provide typedefs for tehse /* We load some functions dynamically. Provide typedefs for tehse
@ -343,7 +347,9 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
ci->permanent = !!permanent; ci->permanent = !!permanent;
ci->trustclasses = trustclass; ci->trustclasses = trustclass;
if (!permanent) if (permanent)
any_cert_of_class |= trustclass;
else
total_nonperm_certificates++; total_nonperm_certificates++;
return 0; return 0;
@ -758,6 +764,7 @@ cert_cache_deinit (int full)
} }
total_nonperm_certificates = 0; total_nonperm_certificates = 0;
any_cert_of_class = 0;
initialization_done = 0; initialization_done = 0;
release_cache_lock (); release_cache_lock ();
} }
@ -814,6 +821,15 @@ cert_cache_print_stats (void)
} }
/* Return true if any cert of a class in MASK is permanently
* loaded. */
int
cert_cache_any_in_class (unsigned int mask)
{
return !!(any_cert_of_class & mask);
}
/* Put CERT into the certificate cache. */ /* Put CERT into the certificate cache. */
gpg_error_t gpg_error_t
cache_cert (ksba_cert_t cert) cache_cert (ksba_cert_t cert)

3
dirmngr/certcache.h
View File

@ -39,6 +39,9 @@ void cert_cache_deinit (int full);
/* Print some statistics to the log file. */ /* Print some statistics to the log file. */
void cert_cache_print_stats (void); void cert_cache_print_stats (void);
/* Return true if any cert of a class in MASK is permanently loaded. */
int cert_cache_any_in_class (unsigned int mask);
/* Compute the fingerprint of the certificate CERT and put it into /* Compute the fingerprint of the certificate CERT and put it into
the 20 bytes large buffer DIGEST. Return address of this buffer. */ the 20 bytes large buffer DIGEST. Return address of this buffer. */
unsigned char *cert_compute_fpr (ksba_cert_t cert, unsigned char *digest); unsigned char *cert_compute_fpr (ksba_cert_t cert, unsigned char *digest);

6
dirmngr/http-ntbtls.c
View File

@ -91,6 +91,12 @@ gnupg_http_tls_verify_cb (void *opaque,
validate_flags |= VALIDATE_FLAG_TRUST_HKP; validate_flags |= VALIDATE_FLAG_TRUST_HKP;
if ((http_flags & HTTP_FLAG_TRUST_SYS)) if ((http_flags & HTTP_FLAG_TRUST_SYS))
validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM; validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
/* If HKP trust is requested and there are no HKP certificates
* configured, also try thye standard system certificates. */
if ((validate_flags & VALIDATE_FLAG_TRUST_HKP)
&& !cert_cache_any_in_class (CERTTRUST_CLASS_HKP))
validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
} }
if ((http_flags & HTTP_FLAG_NO_CRL)) if ((http_flags & HTTP_FLAG_NO_CRL))