[Pkg-gnupg-commit] [gnupg2] 154/205: http: Allow to request system defined CAs for TLS.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed May 11 08:38:32 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gnupg2.
commit fd765df6a7883c3d841abeb657330a1aab4b7756
Author: Werner Koch <wk at gnupg.org>
Date: Tue Apr 26 21:57:56 2016 +0200
http: Allow to request system defined CAs for TLS.
* dirmngr/http.h (HTTP_FLAG_TRUST_DEF, HTTP_FLAG_TRUST_SYS): New.
* dirmngr/http.c (http_session_new): Add arg "flags".
* dirmngr/ks-engine-hkp.c (send_request): Use new flag
HTTP_FLAG_TRUST_DEF for the new arg of http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (main): Ditto.
--
Signed-off-by: Werner Koch <wk at gnupg.org>
---
dirmngr/http.c | 40 ++++++++++++++++++++++++++++++++--------
dirmngr/http.h | 9 ++++++---
dirmngr/ks-engine-hkp.c | 2 +-
dirmngr/ks-engine-http.c | 2 +-
dirmngr/t-http.c | 2 +-
5 files changed, 41 insertions(+), 14 deletions(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index aa33917..f0fcd0d 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -560,10 +560,14 @@ http_session_release (http_session_t sess)
/* Create a new session object which is currently used to enable TLS
- support. It may eventually allow reusing existing connections. */
+ * support. It may eventually allow reusing existing connections.
+ * Valid values for FLAGS are:
+ * HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca
+ * HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system
+ */
gpg_error_t
http_session_new (http_session_t *r_session, const char *tls_priority,
- const char *intended_hostname)
+ const char *intended_hostname, unsigned int flags)
{
gpg_error_t err;
http_session_t sess;
@@ -629,14 +633,34 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
}
/* Add configured certificates to the session. */
- for (sl = tls_ca_certlist; sl; sl = sl->next)
+ if ((flags & HTTP_FLAG_TRUST_DEF))
+ {
+ for (sl = tls_ca_certlist; sl; sl = sl->next)
+ {
+ rc = gnutls_certificate_set_x509_trust_file
+ (sess->certcred, sl->d,
+ (sl->flags & 1)? GNUTLS_X509_FMT_PEM : GNUTLS_X509_FMT_DER);
+ if (rc < 0)
+ log_info ("setting CA from file '%s' failed: %s\n",
+ sl->d, gnutls_strerror (rc));
+ }
+ }
+
+ /* Add system certificates to the session. */
+ if ((flags & HTTP_FLAG_TRUST_SYS))
{
- rc = gnutls_certificate_set_x509_trust_file
- (sess->certcred, sl->d,
- (sl->flags & 1)? GNUTLS_X509_FMT_PEM : GNUTLS_X509_FMT_DER);
+#if GNUTLS_VERSION_NUMBER >= 0x030014
+ static int shown;
+
+ rc = gnutls_certificate_set_x509_system_trust (sess->certcred);
if (rc < 0)
- log_info ("setting CA from file '%s' failed: %s\n",
- sl->d, gnutls_strerror (rc));
+ log_info ("setting system CAs failed: %s\n", gnutls_strerror (rc));
+ else if (!shown)
+ {
+ shown = 1;
+ log_info ("number of system provided CAs: %d\n", rc);
+ }
+#endif /* gnutls >= 3.0.20 */
}
rc = gnutls_init (&sess->tls_session, GNUTLS_CLIENT);
diff --git a/dirmngr/http.h b/dirmngr/http.h
index 58b8c1a..569ccea 100644
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@@ -80,11 +80,13 @@ enum
HTTP_FLAG_TRY_PROXY = 1, /* Try to use a proxy. */
HTTP_FLAG_SHUTDOWN = 2, /* Close sending end after the request. */
HTTP_FLAG_FORCE_TOR = 4, /* Force a TOR connection. */
- HTTP_FLAG_LOG_RESP = 8, /* Log the server respone. */
+ HTTP_FLAG_LOG_RESP = 8, /* Log the server response. */
HTTP_FLAG_FORCE_TLS = 16, /* Force the use of TLS. */
HTTP_FLAG_IGNORE_CL = 32, /* Ignore content-length. */
HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */
- HTTP_FLAG_IGNORE_IPv6 = 128 /* Do not use IPv6. */
+ HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6. */
+ HTTP_FLAG_TRUST_DEF = 256, /* Use the default CAs. */
+ HTTP_FLAG_TRUST_SYS = 512 /* Also use the system defined CAs. */
};
@@ -99,7 +101,8 @@ void http_register_tls_ca (const char *fname);
gpg_error_t http_session_new (http_session_t *r_session,
const char *tls_priority,
- const char *intended_hostname);
+ const char *intended_hostname,
+ unsigned int flags);
http_session_t http_session_ref (http_session_t sess);
void http_session_release (http_session_t sess);
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index eca02f0..636eaf7 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -991,7 +991,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
*r_fp = NULL;
- err = http_session_new (&session, NULL, httphost);
+ err = http_session_new (&session, NULL, httphost, HTTP_FLAG_TRUST_DEF);
if (err)
goto leave;
http_session_set_log_cb (session, cert_log_cb);
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index 8232313..b996c25 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -73,7 +73,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
estream_t fp = NULL;
char *request_buffer = NULL;
- err = http_session_new (&session, NULL, NULL);
+ err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_DEF);
if (err)
goto leave;
http_session_set_log_cb (session, cert_log_cb);
diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c
index 9d5ea5f..3a6be6c 100644
--- a/dirmngr/t-http.c
+++ b/dirmngr/t-http.c
@@ -262,7 +262,7 @@ main (int argc, char **argv)
http_register_tls_callback (verify_callback);
http_register_tls_ca (cafile);
- err = http_session_new (&session, NULL, NULL);
+ err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_DEF);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list