security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-05-31 22:18:03 +02:00
Code Activity
24cf0606b4
gnupg/dirmngr/http-ntbtls.c
Werner Koch 831d014550
dirmngr: Add special treatment for the standard hkps pool to ntbtls. 
* dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove
(VALIDATE_FLAG_EXTRATRUST): Remove
(VALIDATE_FLAG_TRUST_SYSTEM): New.
(VALIDATE_FLAG_TRUST_CONFIG): New.
(VALIDATE_FLAG_TRUST_HKP): New.
(VALIDATE_FLAG_TRUST_HKPSPOOL): New.
(VALIDATE_FLAG_MASK_TRUST): New.
* dirmngr/validate.c (check_header_constants): New.
(validate_cert_chain): Call new function.  Simplify call to
is_trusted_cert.
* dirmngr/crlcache.c (crl_parse_insert): Pass
VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain
* dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and
VALIDATE_FLAG_TRUST_CONFIG.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS
context.  Set trustclass flags using the new VALIDATE_FLAG_TRUST
values.

* dirmngr/certcache.c (cert_cache_init): Load the standard pool
certificate prior to the --hkp-cacerts.
--

Note that this changes the way the standard cert is used: We require
that it is installed at /usr/share/gnupg and we do not allow to change
it.  If this is not desired, the the standard cert can be removed or
replaced by a newer one.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 14:55:04 +01:00

125 lines
3.3 KiB
C
Raw Blame History

/* http-ntbtls.c - Support for using NTBTLS with http.c
* Copyright (C) 2017 Werner Koch
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <https://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "dirmngr.h"
#include "certcache.h"
#include "validate.h"
#ifdef HTTP_USE_NTBTLS
# include <ntbtls.h>
/* The callback used to verify the peer's certificate. */
gpg_error_t
gnupg_http_tls_verify_cb (void *opaque,
http_t http,
http_session_t session,
unsigned int http_flags,
void *tls_context)
{
ctrl_t ctrl = opaque;
ntbtls_t tls = tls_context;
gpg_error_t err;
int idx;
ksba_cert_t cert;
ksba_cert_t hostcert = NULL;
unsigned int validate_flags;
const char *hostname;
(void)http;
(void)session;
log_assert (ctrl && ctrl->magic == SERVER_CONTROL_MAGIC);
log_assert (!ntbtls_check_context (tls));
/* Get the peer's certs fron ntbtls. */
for (idx = 0;
(cert = ntbtls_x509_get_peer_cert (tls, idx)); idx++)
{
if (!idx)
hostcert = cert;
else
{
/* Quick hack to make verification work by inserting the supplied
* certs into the cache. FIXME! */
cache_cert (cert);
ksba_cert_release (cert);
}
}
if (!idx)
{
err = gpg_error (GPG_ERR_MISSING_CERT);
goto leave;
}
validate_flags = VALIDATE_FLAG_TLS;
/* Are we using the standard hkps:// pool use the dedicated
* root certificate. */
hostname = ntbtls_get_hostname (tls);
if (hostname
&& !ascii_strcasecmp (hostname, "hkps.pool.sks-keyservers.net"))
{
validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL;
}
else /* Use the certificates as requested from the HTTP module. */
{
if ((http_flags & HTTP_FLAG_TRUST_DEF))
validate_flags |= VALIDATE_FLAG_TRUST_HKP;
if ((http_flags & HTTP_FLAG_TRUST_SYS))
validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
}
if ((http_flags & HTTP_FLAG_NO_CRL))
validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL);
leave:
ksba_cert_release (hostcert);
return err;
}
#else /*!HTTP_USE_NTBTLS*/
/* Dummy function used when not build without ntbtls support. */
gpg_error_t
gnupg_http_tls_verify_cb (void *opaque,
http_t http,
http_session_t session,
unsigned int flags,
void *tls_context)
{
(void)opaque;
(void)http;
(void)session;
(void)flags;
(void)tls_context;
return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
}
#endif /*!HTTP_USE_NTBTLS*/
View Git Blame Copy Permalink