1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

423 Commits

Author SHA1 Message Date
NIIBE Yutaka
247932f367 dirmngr: Fix aliasing problem in dns.c.
* dirmngr/dns.c (dns_ai_setent): Care about aliasing.

--

Co-authored-by: Tomas Mraz
GnuPG-bug-id: 3105
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-25 21:00:41 +09:00
NIIBE Yutaka
4b2581dc0e dirmngr: Fix final close of LISTEN_FD.
* dirmngr/dirmngr.c (handle_connections): Close LISTEN_FD.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-18 09:04:11 +09:00
NIIBE Yutaka
0d0a7efa8f dirmngr: Fix API difference for Windows.
* dirmngr/http.c (read_server, write_server): Use assuan_fd_t.
(http_wait_response): Use FD2INT to get unsigned integer fd.
(read_server, write_server): Likewise.
(simple_cookie_read, simple_cookie_write): Use assuan_fd_t.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-18 09:03:14 +09:00
NIIBE Yutaka
adb77d095b dirmngr: More fix for test program.
* dirmngr/t-http.c (main): Care about no TLS.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-14 09:18:41 +09:00
NIIBE Yutaka
4771bad610 dirmngr: More fix for Windows.
* dirmngr/http.c (simple_cookie_read, simple_cookie_write): Only
valid with HTTP_USE_NTBTLS.
(_my_socket_new): Simply cast to int since it's for debug.
(_my_socket_ref, _my_socket_unref): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-14 08:32:49 +09:00
NIIBE Yutaka
86dcb03134 dirmngr: Fix http.c for sockaddr_storage.
dirmngr/http.c (use_socks): Use sockaddr_storage.
(my_sock_new_for_addr, connect_server): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-13 14:46:57 +09:00
NIIBE Yutaka
892b33bb2c dirmngr: Fix alignment of ADDR.
* dirmngr/dns-stuff.h (dns_addrinfo_s): Use struct sockaddr_storage
for size and alignment.
* dirmngr/dns-stuff.c (resolve_name_libdns): Follow the change.
(resolve_dns_name): Use struct sockaddr_storage.
(resolve_addr_standard, resolve_dns_addr): Likewise.
(resolve_dns_addr): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-13 14:33:33 +09:00
NIIBE Yutaka
37018adce6 dirmngr: Fix thread key type.
* dirmngr/dirmngr.c (my_tlskey_current_fd): Use npth_key_t.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-13 13:06:38 +09:00
NIIBE Yutaka
5af104b541 dirmngr: More fix for Windows.
* dirmngr/dns.c (socket_fd_t, STDCALL): New.
(dns_te_initname): Use.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-13 09:52:19 +09:00
NIIBE Yutaka
6755b3b505 dirmngr: Fix type of sock.
* dirmngr/http.c (send_request): Use assuan_fd_t for SOCK.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-12 20:50:50 +09:00
NIIBE Yutaka
7ae1857c90 dirmngr: Fix possible null reference.
* dirmngr/dns.c (dns_error_t dns_trace_fput): Check NULL.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-12 15:58:11 +09:00
NIIBE Yutaka
60d9a9e6b4 dirmngr: Fix plus1_ns.
* dirmngr/dns.c (plus1_ns): Fix the initial implementation.

--

Fixes-commit: 64904ce627b6b0661acf15b5b70103c4842bb0f3
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-12 11:44:10 +09:00
NIIBE Yutaka
bd0c94939f dirmngr: Fix dns-stuff.c in another way.
* dirmngr/dns-stuff.c (T_CERT): Define our own.

--

T_CERT may be defined by another enum type even if the value is same.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-12 10:22:03 +09:00
NIIBE Yutaka
0b904ddea8 Revert "dirmngr: Fix dns-stuff.c."
This reverts commit 1538523156be568046f632d1775eae30ea8bd556.
2017-04-12 10:00:37 +09:00
NIIBE Yutaka
1538523156 dirmngr: Fix dns-stuff.c.
* dirmngr/dns-stuff.c: Don't include arpa/nameser.h.

--

It is not needed at all.  T_CERT may be defined by different type of
ns_type.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-12 09:48:27 +09:00
NIIBE Yutaka
64904ce627 dirmngr: Use a function to increment network short.
* dirmngr/dns.c (plus1_ns): New.
(dns_p_push): Use it.

--

On OpenBSD, htons and ntohs are expanded to GCC's statement
expressions where local variable is allowed.  Consecutive use
of htons and ntohs causes problem of variable name.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-12 09:11:20 +09:00
NIIBE Yutaka
3133402241 dirmngr: Fix build for Windows.
* dirmngr/ldap-wrapper-ce.c (outstream_cookie_writer): Use
gpgrt_ssize_t.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-11 16:12:34 +09:00
Werner Koch
3533b85440
dirmngr: New option --disable-ipv6
* dirmngr/dirmngr.h (struct opt): Add field 'disable_ipv6'.
* dirmngr/dirmngr.c (oDisableIPv6): New const.
(opts): New option --disable-ipv6.
(parse_rereadable_options): Set that option.
* dirmngr/dns-stuff.c (opt_disable_ipv6): New var.
(set_dns_disable_ipv6): New.
(resolve_name_standard): Make use of it.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Take care of
OPT.DISABLE_IPV6.
* dirmngr/ks-engine-hkp.c (map_host): Ditto.
(send_request): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ocsp.c (do_ocsp_request): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-04-03 20:56:12 +02:00
Werner Koch
fce36d7ec8
dirmngr,w32: Silence the 'certificate already cached' message.
* dirmngr/certcache.c (load_certs_from_w32_store): Silenece an info
message.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-04-03 20:34:21 +02:00
Werner Koch
cc32ddbcba
dirmngr: Handle EIO which is sometimes returned by cookie functions.
* dirmngr/ks-engine-hkp.c (handle_send_request_error): Handle EIO.
--

Suggested-by: Andre Heinecke
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-04-03 20:23:18 +02:00
Werner Koch
35c843c815
dirmngr: Always print a warning for a missing /etc/hosts.
* dirmngr/dns-stuff.c (libdns_init): No Windows specific handling of a
missing /etc/hosts.
--

My last comment on this was flawed.  Windows seems to always have its
version of /etc/hosts.  Only the en passant fixed bad escaping led me
assume that this was the case.  Thanks to Andre for complaining about
my comment remark.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-04-03 20:20:49 +02:00
Werner Koch
5d873f288e
dirmngr: Do not assume that /etc/hosts exists.
* dirmngr/dns-stuff.c (libdns_init): Do not bail out.
--

A standard Windows installation does not have a hosts file and thus we
can't bail out here.  We should also not bail out on a Unix system
because /etc/hosts is just one method in  nsswitch.conf.

Fixes-commit: 88f1505f0613894d5544290a170119eb538921e5
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-04-03 20:06:57 +02:00
Justus Winter
483c1288a8
dirmngr: Fix error handling.
* dirmngr/dns-stuff.c (libdns_init): Convert error before printing it.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-03-21 14:22:13 +01:00
Justus Winter
88f1505f06
dirmngr: Load the hosts file into libdns.
* dirmngr/dns-stuff.c (libdns_init): Actually load the hosts file into
libdns.
--

Previously, connecting to key servers specified in /etc/hosts was not
possible because libdns' hosts structure was initialized, but not
filled with the content of the hosts file.

GnuPG-bug-id: 2977
Signed-off-by: Justus Winter <justus@g10code.com>
2017-03-21 14:18:25 +01:00
Werner Koch
69c521df42
dirmngr: Ignore warning alerts in the GNUTLS handshake.
* dirmngr/http.c (send_request) [GNUTLS]: Don't bail out on warning
alerts.
--

GnuPG-bug-id: 2833
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-17 12:50:35 +01:00
NIIBE Yutaka
70aca95d68 Remove -I option to common.
* dirmngr/Makefile.am (AM_CPPFLAGS): Remove -I$(top_srcdir)/common.
* g10/Makefile.am (AM_CPPFLAGS): Ditto.
* g13/Makefile.am (AM_CPPFLAGS): Ditto.
* kbx/Makefile.am (AM_CPPFLAGS): Ditto.
* scd/Makefile.am (AM_CPPFLAGS): Ditto.
* sm/Makefile.am (AM_CPPFLAGS): Ditto.
* tools/Makefile.am (AM_CPPFLAGS): Ditto.
* Throughout: Follow the change.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-03-07 20:25:54 +09:00
Werner Koch
8f0bf644bc
doc: Replace README.maint content.
--
2017-03-07 10:34:08 +01:00
Werner Koch
67c203b6bf
dirmngr: Fix commit de6d8313
* dirmngr/http-common.c (get_default_keyserver): Fix assert.
--

Fixes-commit: de6d8313f6df32aaa151bee74e1db269ac1e0fed
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-03 17:17:26 +01:00
Werner Koch
1890896fe6
dirmngr: Rearrange files to fix de6d831.
* dirmngr/http-common.c: New.
* dirmngr/http-common.h: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add them.
(t_http_SOURCES): Add them.
(t_ldap_parse_uri_SOURCES): Add them.
* dirmngr/misc.c (get_default_keyserver): Move to ...
* dirmngr/http-common.c: here.
* dirmngr/http.c: Include http-common.h instead of misc.h.
* dirmngr/http-ntbtls.c: Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-02 18:35:03 +01:00
Werner Koch
de6d8313f6
dirmngr: Let --gpgconf-list return the default keyserver.
* dirmngr/misc.c (get_default_keyserver): New.
* dirmngr/http.c: Include misc.h
(http_session_new): Use get_default_keyserver instead of hardwired
"hkps.pool.sks-keyservers.net".
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/dirmngr.c (main) <aGPGCongList>: Return default keyserver.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-02 17:58:58 +01:00
Daniel Kahn Gillmor
f5782e11a5 dirmngr: Avoid warnings during non-ntbtls build.
* dirmngr/t-http.c (my_http_tls_verify_cb): Avoid warnings when not
using ntbtls.

--

Without this patch, when building without ntbtls, we see the following
warnings during "make check":

t-http.c: In function ‘my_http_tls_verify_cb’:
t-http.c:141:16: warning: implicit declaration of function
      ‘ntbtls_x509_get_peer_cert’ [-Wimplicit-function-declaration]
        (cert = ntbtls_x509_get_peer_cert (tls_context, idx)); idx++)
                ^~~~~~~~~~~~~~~~~~~~~~~~~
t-http.c:141:14: warning: assignment makes pointer from integer
       without a cast  -Wint-conversion]
        (cert = ntbtls_x509_get_peer_cert (tls_context, idx)); idx++)
              ^
At top level:
t-http.c:123:1: warning: ‘my_http_tls_verify_cb’ defined but not
      used [-Wunused-function]
 my_http_tls_verify_cb (void *opaque,
 ^~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-25 22:54:47 -08:00
Werner Koch
22b69b9edf
dirmngr: Add new debug flag "extprog"
* dirmngr/dirmngr.h (DBG_EXTPROG_VALUE, DBG_EXTPROG): New macros.
* dirmngr/dirmngr.c (debug_flags): Add flag "extprog".
(handle_connections): Use a macro instead of -1 for an invalid socket.
* dirmngr/loadswdb.c (verify_status_cb): Debug the gpgv call.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-23 20:14:16 +01:00
Werner Koch
a42bf00b4e
dirmngr,w32: Make https with ntbtls work.
* dirmngr/http.c (simple_cookie_functions): New.
(send_request) [HTTP_USE_NTBTLS, W32]: Use es_fopencookie.
(cookie_read): Factor some code out to ...
(read_server): new.
(simple_cookie_read, simple_cookie_write) [W32]: New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-23 10:30:58 +01:00
Daniel Kahn Gillmor
ccb420380b Fix spelling.
--

Clean up several other misspellings noticed while reviewing Yuri's
de-duplication patch.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-21 13:11:46 -05:00
Yuri Chornoivan
24cf0606b4 Clean up word replication.
--

This fixes extra word repetitions (like "the the" or "is is") in the
code and docs.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-21 13:11:46 -05:00
Werner Koch
831d014550
dirmngr: Add special treatment for the standard hkps pool to ntbtls.
* dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove
(VALIDATE_FLAG_EXTRATRUST): Remove
(VALIDATE_FLAG_TRUST_SYSTEM): New.
(VALIDATE_FLAG_TRUST_CONFIG): New.
(VALIDATE_FLAG_TRUST_HKP): New.
(VALIDATE_FLAG_TRUST_HKPSPOOL): New.
(VALIDATE_FLAG_MASK_TRUST): New.
* dirmngr/validate.c (check_header_constants): New.
(validate_cert_chain): Call new function.  Simplify call to
is_trusted_cert.
* dirmngr/crlcache.c (crl_parse_insert): Pass
VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain
* dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and
VALIDATE_FLAG_TRUST_CONFIG.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS
context.  Set trustclass flags using the new VALIDATE_FLAG_TRUST
values.

* dirmngr/certcache.c (cert_cache_init): Load the standard pool
certificate prior to the --hkp-cacerts.
--

Note that this changes the way the standard cert is used: We require
that it is installed at /usr/share/gnupg and we do not allow to change
it.  If this is not desired, the the standard cert can be removed or
replaced by a newer one.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 14:55:04 +01:00
Werner Koch
d1625a9a82
dirmngr: Load --hkp-cacert values into the certificate cache.
* dirmngr/dirmngr.c (hkp_cacert_filenames): New var.
(parse_rereadable_options): Store filenames from --hkp-cacert in the
new var.
(main, dirmngr_sighup_action): Pass that var to cert_cache_init.
* dirmngr/certcache.c (cert_cache_init): Add arg 'hkp_cacert' and load
those certs.
(load_certs_from_file): Use autodetect so that PEM and DER encodings
are possible.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 13:57:24 +01:00
Werner Koch
9741aa24d9
dirmngr: Load "sks-keyservers.netCA.pem" into the cache.
* dirmngr/certcache.c (load_certs_from_file): Always build this
function.  Add args 'trustclasses' and 'no_error'.  Pass TRUSTCLASSES
to put_cert.
(load_certs_from_system): Pass CERTTRUST_CLASS_SYSTEM to
load_certs_from_file.
(cert_cache_init): Try to load "sks-keyservers.netCA.pem".  Don't make
function fail in an out-of-core condition.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 12:42:34 +01:00
Werner Koch
50b9828eac
dirmngr: Implement trust classes for the cert cache.
* dirmngr/certcache.h (CERTTRUST_CLASS_SYSTEM): New.
(CERTTRUST_CLASS_CONFIG): New.
(CERTTRUST_CLASS_HKP): New.
(CERTTRUST_CLASS_HKPSPOOL): New.
* dirmngr/certcache.c (MAX_EXTRA_CACHED_CERTS): Rename to ...
(MAX_NONPERM_CACHED_CERTS): this.
(total_extra_certificates): Rename to ...
(total_nonperm_certificates): this.
(total_config_certificates): Remove.
(total_trusted_certificates): Remove.
(total_system_trusted_certificates): Remove.
(cert_item_s): Remove field 'flags'.  Add fields 'permanent' and
'trustclasses'.
(clean_cache_slot): Clear new fields.
(put_cert): Change for new cert_item_t structure.
(load_certs_from_dir): Rename arg 'are_trusted' to 'trustclass'
(load_certs_from_file): Use CERTTRUST_CLASS_ value for put_cert.
(load_certs_from_w32_store): Ditto.
(cert_cache_init): Ditto.
(cert_cache_print_stats): Rewrite.
(is_trusted_cert): Replace arg 'with_systrust' by 'trustclasses'.
Chnage the test.
* dirmngr/validate.c (allowed_ca): Pass CERTTRUST_CLASS_CONFIG to
is_trusted_cert.
(validate_cert_chain): Pass CERTTRUST_CLASS_ values to
is_trusted_cert.
--

These trust classes make it easier to select certain sets of root
certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 12:23:20 +01:00
Werner Koch
493c142e58
dirmngr: New Assuan option "http-crl".
* dirmngr/dirmngr.h (server_control_s): New flag 'http_no_crl'.
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set this flag.
* dirmngr/server.c (option_handler): New option "http-crl"
* dirmngr/http.h (HTTP_FLAG_NO_CRL): New flag.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Consult this flag.
* dirmngr/ks-engine-hkp.c (send_request): Set flag depending on CTRL.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.

* dirmngr/t-http.c (main): New option --no-crl.
--

This new option can be used to enable CRL checks on a per session
base.  The default is not to use CRLs for https connections.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 09:37:07 +01:00
Werner Koch
39c7450381
dirmngr: Add a magic field to the http structs.
* dirmngr/http.c (HTTP_SESSION_MAGIC): New.
(http_session_s): New field 'magic'.
(HTTP_CONTEXT_MAGIC): New.
(http_context_s): New field 'magic'.
(my_ntbtls_verify_cb): Assert MAGIC.
(fp_onclose_notification): Ditto.
(session_unref): Ditto.  Reset MAGIC.
(http_session_new): Set MAGIC.
(http_open): Ditto.
(http_raw_connect): Ditto.
(http_close): Assert MAGIC.  Reset MAGIC.

* dirmngr/t-http.c (my_http_tls_verify_cb): MArk HTTP_FLAGS unused.
--

We pass those handles through opaque pointers.  The magic numbers will
help to detect wrong use.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 09:13:02 +01:00
Werner Koch
a022baa4a4
dirmngr: Setup a log handler for ntbtls.
* dirmngr/dirmngr.c (my_ntbtls_log_handler) [HTTP_USE_NTBTLS]: New.
(main) [HTTP_USE_NTBTLS]: Register log handler.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-20 17:24:00 +01:00
Werner Koch
e174893262
dirmngr.c: Make http.c build without any TLS support.
* dirmngr/http.c (http_session_new): Remove used of tls_prority.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-20 10:02:25 +01:00
Werner Koch
81ea24b863
dirmngr: Make t-http.c work again with gnutls - second try
* dirmngr/t-http.c: Always include ksba.h.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-20 09:53:31 +01:00
Werner Koch
f923873863
dirmngr: Make t-http.c work again with gnutls.
* dirmngr/Makefile.am (t_http_CFLAGS, t_http_LDADD): Add KSBA flags
and libs.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-20 09:48:37 +01:00
Werner Koch
64fffd0ce2
dirmngr: First take on ntbtls cert verification.
* dirmngr/http-ntbtls.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add file.
* dirmngr/dirmngr.h (SERVER_CONTROL_MAGIC): New.
(server_conrol_s): Add field 'magic',
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set MAGIC.
(dirmngr_deinit_default_ctrl): Set MAGIC to deadbeef.
* dirmngr/http.c (my_ntbtls_verify_cb): New.
(http_session_new) [HTTP_USE_NTBTLS]: Remove all CA setting code.
(send_request) [HTTP_USE_NTBTLS]: Set the verify callback.  Do not call
the verify callback after the handshake.
* dirmngr/ks-engine-hkp.c (send_request): Pass
gnupg_http_tls_verify_cb to http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.

* dirmngr/t-http.c (my_http_tls_verify_cb): New.
(main): Rename option --gnutls-debug to --tls-debug.
(main) [HTTP_USE_NTBTLS]: Create a session.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-19 10:36:43 +01:00
Werner Koch
a74902cccd
dirmngr: Add per-session verify callback to http.c
* dirmngr/http.h (http_verify_cb_t): New type.
* dirmngr/http.c (http_session_s): Add fields flags, verify_cb, and
verify_cb_value.
(http_session_new): Remove arg tls_priority.  Add args verify_cb and
verify-cb_value.  Store them in the session object.
(send_request): Use per-session verify callback.
(http_verify_server_credentials) [HTTP_USE_NTBTLS]: Return
GPG_ERR_NOT_IMPLEMENTED.
* dirmngr/ks-engine-hkp.c (send_request): Adjust for changed
http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (main): Ditto.

* dirmngr/server.c (do_get_cert_local): Replace xmalloc by malloc.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-18 16:39:02 +01:00
Werner Koch
cd32ebd152
dirmngr: Strip the default https port from the Host: header.
* dirmngr/http.c (send_request): Strip the default https port.

--

GnuPG-bug-id: 2965
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-17 21:59:45 +01:00
Werner Koch
f07811ee2c
dirmngr: Add option --no-crl to the VALIDATE cmd.
* dirmngr/validate.h: Remove enums VALIDATE_MODE_*.
(VALIDATE_FLAG_SYSTRUST, VALIDATE_FLAG_EXTRATRUST)
(VALIDATE_FLAG_CRL, VALIDATE_FLAG_RECURSIVE)
(VALIDATE_FLAG_OCSP, VALIDATE_FLAG_TLS)
(VALIDATE_FLAG_NOCRLCHECK): New constants.
* dirmngr/validate.c (validate_cert_chain): Change arg 'mode' to
'flags'.  Change code accordingly.  Remove NO-CRL in TLS mode kludge.
* dirmngr/crlcache.c (crl_parse_insert): Change to use flag values for
the validate_cert_chain call.
* dirmngr/server.c (cmd_validate): Ditto.  Add new option --no-crl.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-17 21:31:33 +01:00
Werner Koch
070211eb99
dirmngr: Add options --tls and --systrust to the VALIDATE cmd.
* dirmngr/certcache.h (certlist_s, certlist_t): New.
* dirmngr/certcache.c (read_certlist_from_stream): New.
(release_certlist): New.
* dirmngr/server.c (MAX_CERTLIST_LENGTH): New.
(cmd_validate): Add options --tls and --systrust.  Implement them
using a kludge for now.
* dirmngr/validate.c (validate_cert_chain): Support systrust
checking.  Add kludge to disable the CRL checking for tls mode.
--

This can now be used to test a list of certificates as returned by
TLS.  Put the certs PEM encoded into a a file certlist.pem with the
target certificate being the first.  Then run

  gpg-connect-agent --dirmngr \
    '/definqfile CERTLIST wiki-gnupg-chain.pem' \
    'validate --systrust --tls' /bye

CRLS check has been disabled becuase we can't yet pass the systrust
flag to the CRL checking code.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-17 16:41:02 +01:00