security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Activity
gnupg/dirmngr
History
Werner Koch 705d8e9cf0
dirmngr: Implement CRL fetching via https. 
* dirmngr/http.h (HTTP_FLAG_TRUST_CFG): New flag.
* dirmngr/http.c (http_register_cfg_ca): New.
(http_session_new) [HTTP_USE_GNUTLS]: Implement new trust flag.
* dirmngr/certcache.c (load_certs_from_dir): Call new function.
(cert_cache_deinit): Ditto.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Add new args
'send_no_cache' and 'extra_http_trust_flags'.  Change all callers to
provide the default value.
* dirmngr/crlfetch.c (crl_fetch): Rewrite to make use of
ks_http_fetch.
--

The old code simply did not use https for downloading of CRLS.
Instead it rewrote https to http under the assumption that the CRL
service was also available without encryption.  Note that a CRL is
self-standing and thus it does not need to have extra authenticity as
provided by TLS.  These days we should not use any unencrypted content
and thus this patch.

Be aware that cacert.org give a https CRL DP but that currently
redirects to to http!  This is a downgrade attack which we detect and
don't allow.  The outcome is that it is right now not possible to use
CAcert certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
 		2018-04-25 12:38:04 +02:00
..
ChangeLog-2011 Fix spelling. 2017-02-21 13:11:46 -05:00
ChangeLog-2011-ks Remove the obsolete keyserver directory from the repo. 2015-04-20 18:20:45 +02:00
Makefile.am dirmngr: Add a background task framework. 2017-12-11 11:30:45 +01:00
OAUTHORS Nuked almost all trailing white space. 2011-02-04 12:57:53 +01:00
ONEWS Nuked almost all trailing white space. 2011-02-04 12:57:53 +01:00
cdb.h Tweaks for gpgconf. 2010-12-14 19:17:58 +00:00
cdblib.c g10, sm, dirmngr, common: Add comment for fall through. 2017-05-10 11:13:12 +09:00
certcache.c dirmngr: Implement CRL fetching via https. 2018-04-25 12:38:04 +02:00
certcache.h dirmngr: Use system certs if --hkp-cacert is not used. 2017-09-18 22:49:05 +02:00
crlcache.c dirmngr: More binary I/O on Windows for CRLs 2018-04-20 15:58:42 +02:00
crlcache.h move some file encodings to UTF-8 2016-09-17 15:57:31 +09:00
crlfetch.c dirmngr: Implement CRL fetching via https. 2018-04-25 12:38:04 +02:00
crlfetch.h Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
dirmngr-client.c Fix usage of ARGPARSE_OPTS. 2017-07-19 13:41:18 +09:00
dirmngr-err.h Some work on porting dirmngr (unfinished) 2010-07-16 13:19:45 +00:00
dirmngr.c Change backlog from 5 to 64 and provide option --listen-backlog. 2017-12-12 14:14:40 +01:00
dirmngr.h dirmngr: Add a background task framework. 2017-12-11 11:30:45 +01:00
dirmngr_ldap.c dirmngr: Reduce default LDAP timeout to 15 seconds. 2017-11-07 10:05:18 +01:00
dns-stuff.c dirmngr: This towel should better detect a changed resolv.conf. 2017-05-25 20:26:54 +02:00
dns-stuff.h Spelling fixes in docs and comments. 2017-04-28 10:06:33 +09:00
dns.c dirmngr: Add annotation for fallthrough. 2017-07-25 11:49:23 +09:00
dns.h dirmngr: New libdns snapshot 2016-12-14 15:56:58 +01:00
domaininfo.c dirmngr: Check for WKD support at session end 2017-12-11 11:31:15 +01:00
http-common.c dirmngr: Fix commit de6d8313 2017-03-03 17:17:26 +01:00
http-common.h dirmngr: Rearrange files to fix de6d831. 2017-03-02 18:35:03 +01:00
http-ntbtls.c dirmngr: Implement CRL fetching via https. 2018-04-25 12:38:04 +02:00
http.c dirmngr: Implement CRL fetching via https. 2018-04-25 12:38:04 +02:00
http.h dirmngr: Implement CRL fetching via https. 2018-04-25 12:38:04 +02:00
ks-action.c dirmngr: Implement CRL fetching via https. 2018-04-25 12:38:04 +02:00
ks-action.h Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
ks-engine-finger.c dirmngr: Implement HTTP connect timeouts of 15 or 2 seconds. 2017-06-08 09:37:36 +02:00
ks-engine-hkp.c dirmngr: Handle failures related to missing IPv6 gracefully 2018-02-22 20:46:51 +01:00
ks-engine-http.c dirmngr: Implement CRL fetching via https. 2018-04-25 12:38:04 +02:00
ks-engine-kdns.c Remove -I option to common. 2017-03-07 20:25:54 +09:00
ks-engine-ldap.c Remove -I option to common. 2017-03-07 20:25:54 +09:00
ks-engine.h dirmngr: Implement CRL fetching via https. 2018-04-25 12:38:04 +02:00
ldap-parse-uri.c Remove -I option to common. 2017-03-07 20:25:54 +09:00
ldap-parse-uri.h Remove -I option to common. 2017-03-07 20:25:54 +09:00
ldap-url.c dirmngr: Simplify strtok macro. 2014-03-07 19:00:31 +01:00
ldap-url.h Merged Dirmngr with GnuPG. 2010-06-09 16:53:51 +00:00
ldap-wrapper-ce.c dirmngr,w32: Fix ldap crl read on windows 2017-05-15 12:49:39 +02:00
ldap-wrapper.c Spelling fixes in docs and comments. 2017-04-28 10:06:33 +09:00
ldap-wrapper.h Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
ldap.c dirmngr: More minor fixes. 2017-07-24 15:35:34 +09:00
ldapserver.c Improve spelling and grammar of some comments. 2015-03-23 19:58:30 +01:00
ldapserver.h Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
loadswdb.c dirmngr: Implement CRL fetching via https. 2018-04-25 12:38:04 +02:00
misc.c dirmngr: Check for WKD support at session end 2017-12-11 11:31:15 +01:00
misc.h dirmngr: Rearrange files to fix de6d831. 2017-03-02 18:35:03 +01:00
ocsp.c dirmngr: New option --disable-ipv6 2017-04-03 20:56:12 +02:00
ocsp.h Merged Dirmngr with GnuPG. 2010-06-09 16:53:51 +00:00
server.c dirmngr: Implement CRL fetching via https. 2018-04-25 12:38:04 +02:00
sks-keyservers.netCA.pem dirmngr: Add support for hkps keyservers. 2014-05-05 16:23:37 +02:00
t-dns-stuff.c Remove -I option to common. 2017-03-07 20:25:54 +09:00
t-http.c dirmngr: Do not use a blocking connect in Tor mode. 2017-07-26 13:48:27 +02:00
t-ldap-parse-uri.c Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
t-support.h Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
tls-ca.pem Move http module from common/ to dirmngr/. 2015-10-18 20:08:26 +02:00
validate.c Spelling fixes in docs and comments. 2017-04-28 10:06:33 +09:00
validate.h dirmngr: Add special treatment for the standard hkps pool to ntbtls. 2017-02-21 14:55:04 +01:00
w32-ldap-help.h Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
workqueue.c dirmngr: Add a background task framework. 2017-12-11 11:30:45 +01:00