From fd765df6a7883c3d841abeb657330a1aab4b7756 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 26 Apr 2016 21:57:56 +0200 Subject: [PATCH] http: Allow to request system defined CAs for TLS. * dirmngr/http.h (HTTP_FLAG_TRUST_DEF, HTTP_FLAG_TRUST_SYS): New. * dirmngr/http.c (http_session_new): Add arg "flags". * dirmngr/ks-engine-hkp.c (send_request): Use new flag HTTP_FLAG_TRUST_DEF for the new arg of http_session_new. * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. * dirmngr/t-http.c (main): Ditto. -- Signed-off-by: Werner Koch --- dirmngr/http.c | 40 ++++++++++++++++++++++++++++++++-------- dirmngr/http.h | 9 ++++++--- dirmngr/ks-engine-hkp.c | 2 +- dirmngr/ks-engine-http.c | 2 +- dirmngr/t-http.c | 2 +- 5 files changed, 41 insertions(+), 14 deletions(-) diff --git a/dirmngr/http.c b/dirmngr/http.c index aa33917be..f0fcd0d75 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -560,10 +560,14 @@ http_session_release (http_session_t sess) /* Create a new session object which is currently used to enable TLS - support. It may eventually allow reusing existing connections. */ + * support. It may eventually allow reusing existing connections. + * Valid values for FLAGS are: + * HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca + * HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system + */ gpg_error_t http_session_new (http_session_t *r_session, const char *tls_priority, - const char *intended_hostname) + const char *intended_hostname, unsigned int flags) { gpg_error_t err; http_session_t sess; @@ -629,14 +633,34 @@ http_session_new (http_session_t *r_session, const char *tls_priority, } /* Add configured certificates to the session. */ - for (sl = tls_ca_certlist; sl; sl = sl->next) + if ((flags & HTTP_FLAG_TRUST_DEF)) { - rc = gnutls_certificate_set_x509_trust_file - (sess->certcred, sl->d, - (sl->flags & 1)? GNUTLS_X509_FMT_PEM : GNUTLS_X509_FMT_DER); + for (sl = tls_ca_certlist; sl; sl = sl->next) + { + rc = gnutls_certificate_set_x509_trust_file + (sess->certcred, sl->d, + (sl->flags & 1)? GNUTLS_X509_FMT_PEM : GNUTLS_X509_FMT_DER); + if (rc < 0) + log_info ("setting CA from file '%s' failed: %s\n", + sl->d, gnutls_strerror (rc)); + } + } + + /* Add system certificates to the session. */ + if ((flags & HTTP_FLAG_TRUST_SYS)) + { +#if GNUTLS_VERSION_NUMBER >= 0x030014 + static int shown; + + rc = gnutls_certificate_set_x509_system_trust (sess->certcred); if (rc < 0) - log_info ("setting CA from file '%s' failed: %s\n", - sl->d, gnutls_strerror (rc)); + log_info ("setting system CAs failed: %s\n", gnutls_strerror (rc)); + else if (!shown) + { + shown = 1; + log_info ("number of system provided CAs: %d\n", rc); + } +#endif /* gnutls >= 3.0.20 */ } rc = gnutls_init (&sess->tls_session, GNUTLS_CLIENT); diff --git a/dirmngr/http.h b/dirmngr/http.h index 58b8c1ac7..569ccea0e 100644 --- a/dirmngr/http.h +++ b/dirmngr/http.h @@ -80,11 +80,13 @@ enum HTTP_FLAG_TRY_PROXY = 1, /* Try to use a proxy. */ HTTP_FLAG_SHUTDOWN = 2, /* Close sending end after the request. */ HTTP_FLAG_FORCE_TOR = 4, /* Force a TOR connection. */ - HTTP_FLAG_LOG_RESP = 8, /* Log the server respone. */ + HTTP_FLAG_LOG_RESP = 8, /* Log the server response. */ HTTP_FLAG_FORCE_TLS = 16, /* Force the use of TLS. */ HTTP_FLAG_IGNORE_CL = 32, /* Ignore content-length. */ HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */ - HTTP_FLAG_IGNORE_IPv6 = 128 /* Do not use IPv6. */ + HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6. */ + HTTP_FLAG_TRUST_DEF = 256, /* Use the default CAs. */ + HTTP_FLAG_TRUST_SYS = 512 /* Also use the system defined CAs. */ }; @@ -99,7 +101,8 @@ void http_register_tls_ca (const char *fname); gpg_error_t http_session_new (http_session_t *r_session, const char *tls_priority, - const char *intended_hostname); + const char *intended_hostname, + unsigned int flags); http_session_t http_session_ref (http_session_t sess); void http_session_release (http_session_t sess); diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index eca02f001..636eaf781 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -991,7 +991,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, *r_fp = NULL; - err = http_session_new (&session, NULL, httphost); + err = http_session_new (&session, NULL, httphost, HTTP_FLAG_TRUST_DEF); if (err) goto leave; http_session_set_log_cb (session, cert_log_cb); diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c index 8232313a3..b996c2573 100644 --- a/dirmngr/ks-engine-http.c +++ b/dirmngr/ks-engine-http.c @@ -73,7 +73,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) estream_t fp = NULL; char *request_buffer = NULL; - err = http_session_new (&session, NULL, NULL); + err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_DEF); if (err) goto leave; http_session_set_log_cb (session, cert_log_cb); diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c index 9d5ea5fd2..3a6be6c6a 100644 --- a/dirmngr/t-http.c +++ b/dirmngr/t-http.c @@ -262,7 +262,7 @@ main (int argc, char **argv) http_register_tls_callback (verify_callback); http_register_tls_ca (cafile); - err = http_session_new (&session, NULL, NULL); + err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_DEF); if (err) log_error ("http_session_new failed: %s\n", gpg_strerror (err));