mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-05 12:31:50 +01:00
705d8e9cf0
* dirmngr/http.h (HTTP_FLAG_TRUST_CFG): New flag. * dirmngr/http.c (http_register_cfg_ca): New. (http_session_new) [HTTP_USE_GNUTLS]: Implement new trust flag. * dirmngr/certcache.c (load_certs_from_dir): Call new function. (cert_cache_deinit): Ditto. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto. * dirmngr/ks-engine-http.c (ks_http_fetch): Add new args 'send_no_cache' and 'extra_http_trust_flags'. Change all callers to provide the default value. * dirmngr/crlfetch.c (crl_fetch): Rewrite to make use of ks_http_fetch. -- The old code simply did not use https for downloading of CRLS. Instead it rewrote https to http under the assumption that the CRL service was also available without encryption. Note that a CRL is self-standing and thus it does not need to have extra authenticity as provided by TLS. These days we should not use any unencrypted content and thus this patch. Be aware that cacert.org give a https CRL DP but that currently redirects to to http! This is a downgrade attack which we detect and don't allow. The outcome is that it is right now not possible to use CAcert certificates. Signed-off-by: Werner Koch <wk@gnupg.org>
133 lines
3.7 KiB
C
133 lines
3.7 KiB
C
/* http-ntbtls.c - Support for using NTBTLS with http.c
|
|
* Copyright (C) 2017 Werner Koch
|
|
*
|
|
* This file is part of GnuPG.
|
|
*
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include <config.h>
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#include "dirmngr.h"
|
|
#include "certcache.h"
|
|
#include "validate.h"
|
|
#include "http-common.h"
|
|
|
|
#ifdef HTTP_USE_NTBTLS
|
|
# include <ntbtls.h>
|
|
|
|
|
|
/* The callback used to verify the peer's certificate. */
|
|
gpg_error_t
|
|
gnupg_http_tls_verify_cb (void *opaque,
|
|
http_t http,
|
|
http_session_t session,
|
|
unsigned int http_flags,
|
|
void *tls_context)
|
|
{
|
|
ctrl_t ctrl = opaque;
|
|
ntbtls_t tls = tls_context;
|
|
gpg_error_t err;
|
|
int idx;
|
|
ksba_cert_t cert;
|
|
ksba_cert_t hostcert = NULL;
|
|
unsigned int validate_flags;
|
|
const char *hostname;
|
|
|
|
(void)http;
|
|
(void)session;
|
|
|
|
log_assert (ctrl && ctrl->magic == SERVER_CONTROL_MAGIC);
|
|
log_assert (!ntbtls_check_context (tls));
|
|
|
|
/* Get the peer's certs fron ntbtls. */
|
|
for (idx = 0;
|
|
(cert = ntbtls_x509_get_peer_cert (tls, idx)); idx++)
|
|
{
|
|
if (!idx)
|
|
hostcert = cert;
|
|
else
|
|
{
|
|
/* Quick hack to make verification work by inserting the supplied
|
|
* certs into the cache. FIXME! */
|
|
cache_cert (cert);
|
|
ksba_cert_release (cert);
|
|
}
|
|
}
|
|
if (!idx)
|
|
{
|
|
err = gpg_error (GPG_ERR_MISSING_CERT);
|
|
goto leave;
|
|
}
|
|
|
|
validate_flags = VALIDATE_FLAG_TLS;
|
|
|
|
/* If we are using the standard hkps:// pool use the dedicated
|
|
* root certificate. */
|
|
hostname = ntbtls_get_hostname (tls);
|
|
if (hostname
|
|
&& !ascii_strcasecmp (hostname, get_default_keyserver (1)))
|
|
{
|
|
validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL;
|
|
}
|
|
else /* Use the certificates as requested from the HTTP module. */
|
|
{
|
|
if ((http_flags & HTTP_FLAG_TRUST_CFG))
|
|
validate_flags |= VALIDATE_FLAG_TRUST_CONFIG;
|
|
if ((http_flags & HTTP_FLAG_TRUST_DEF))
|
|
validate_flags |= VALIDATE_FLAG_TRUST_HKP;
|
|
if ((http_flags & HTTP_FLAG_TRUST_SYS))
|
|
validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
|
|
|
|
/* If HKP trust is requested and there are no HKP certificates
|
|
* configured, also try the standard system certificates. */
|
|
if ((validate_flags & VALIDATE_FLAG_TRUST_HKP)
|
|
&& !cert_cache_any_in_class (CERTTRUST_CLASS_HKP))
|
|
validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
|
|
}
|
|
|
|
if ((http_flags & HTTP_FLAG_NO_CRL))
|
|
validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
|
|
|
|
err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL);
|
|
|
|
leave:
|
|
ksba_cert_release (hostcert);
|
|
return err;
|
|
}
|
|
|
|
|
|
#else /*!HTTP_USE_NTBTLS*/
|
|
|
|
/* Dummy function used when not build without ntbtls support. */
|
|
gpg_error_t
|
|
gnupg_http_tls_verify_cb (void *opaque,
|
|
http_t http,
|
|
http_session_t session,
|
|
unsigned int flags,
|
|
void *tls_context)
|
|
{
|
|
(void)opaque;
|
|
(void)http;
|
|
(void)session;
|
|
(void)flags;
|
|
(void)tls_context;
|
|
return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
|
|
}
|
|
#endif /*!HTTP_USE_NTBTLS*/
|