[Pkg-gnupg-commit] [gnupg2] 04/08: Set simple and easy defaults for keyservers
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Nov 10 18:16:10 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit 4ee02819fa4cecd5611772a98c0c441ff2abde76
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Nov 10 06:43:14 2016 -0800
Set simple and easy defaults for keyservers
---
...ister-hkp-cacert-even-if-the-file-doesn-t.patch | 72 ++++++++++++++++
...-Add-system-CAs-if-no-hkp-cacert-is-given.patch | 98 ++++++++++++++++++++++
...-a-default-keyserver-if-none-is-explicitl.patch | 65 ++++++++++++++
debian/patches/series | 3 +
4 files changed, 238 insertions(+)
diff --git a/debian/patches/easy-keyservers/0117-dirmngr-Register-hkp-cacert-even-if-the-file-doesn-t.patch b/debian/patches/easy-keyservers/0117-dirmngr-Register-hkp-cacert-even-if-the-file-doesn-t.patch
new file mode 100644
index 0000000..5233522
--- /dev/null
+++ b/debian/patches/easy-keyservers/0117-dirmngr-Register-hkp-cacert-even-if-the-file-doesn-t.patch
@@ -0,0 +1,72 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 27 Oct 2016 15:33:27 -0400
+Subject: dirmngr: Register hkp-cacert even if the file doesn't exist yet.
+
+* dirmngr/dirmngr.c (parse_readable_options): If we're unable to turn
+an argument for hkp-cacert into an absolute filename, terminate
+completely.
+* dirmngr/http.c (http_register_tls_ca): Show a warning if file is not
+immediately accessible, but register it anyway.
+
+--
+
+Without this changeset, the condition of the filesystem when dirmngr
+is initialized will have an effect on later activities of dirmngr.
+
+For example, if a file identified by a hkp-cacert directive doesn't
+exist when dirmngr starts, dirmngr will behave as though it simply
+didn't have the hkp-cacert directive set at all, even if the file
+should appear later.
+
+dirmngr currently behaves differently if no hkp-cacert directives have
+been set then it does when at least one hkp-cacert directive has been
+set. For example, its choice of CA cert for
+hkps://hkps.pool.sks-keyservers.net depends on whether a TLS CA file
+has been registered. That behavior shouldn't additionally depend on
+the state of the filesystem at the time of dirmngr launch.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ dirmngr/dirmngr.c | 12 +++---------
+ dirmngr/http.c | 5 +++++
+ 2 files changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index 6e76ffc..3d43bda 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -601,15 +601,9 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
+ {
+ char *tmpname;
+
+- /* Do tilde expansion and print a warning if the file can't be
+- accessed. */
+- tmpname = make_absfilename_try (pargs->r.ret_str, NULL);
+- if (!tmpname || access (tmpname, F_OK))
+- log_info (_("can't access '%s': %s\n"),
+- tmpname? tmpname : pargs->r.ret_str,
+- gpg_strerror (gpg_error_from_syserror()));
+- else
+- http_register_tls_ca (tmpname);
++ /* Do tilde expansion and make path absolute. */
++ tmpname = make_absfilename (pargs->r.ret_str, NULL);
++ http_register_tls_ca (tmpname);
+ xfree (tmpname);
+ }
+ break;
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index ac8238c..b767c15 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -492,6 +492,11 @@ http_register_tls_ca (const char *fname)
+ }
+ else
+ {
++ /* Warn if we can't access right now, but register it anyway in
++ case it becomes accessible later */
++ if (access (fname, F_OK))
++ log_info (_("can't access '%s': %s\n"), fname,
++ gpg_strerror (gpg_error_from_syserror()));
+ sl = add_to_strlist (&tls_ca_certlist, fname);
+ if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem"))
+ sl->flags = 1;
diff --git a/debian/patches/easy-keyservers/0118-dirmngr-Add-system-CAs-if-no-hkp-cacert-is-given.patch b/debian/patches/easy-keyservers/0118-dirmngr-Add-system-CAs-if-no-hkp-cacert-is-given.patch
new file mode 100644
index 0000000..7b50981
--- /dev/null
+++ b/debian/patches/easy-keyservers/0118-dirmngr-Add-system-CAs-if-no-hkp-cacert-is-given.patch
@@ -0,0 +1,98 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 27 Oct 2016 16:16:08 -0400
+Subject: dirmngr: Add system CAs if no hkp-cacert is given.
+
+* dirmngr/dirmngr.c (http_session_new): If the user isn't talking to
+the HKPS pool, and they have not specified any hkp-cacert, then we
+should default to the system CAs, rather than nothing.
+* doc/dirmngr.texi: Document choice of CAs.
+
+--
+
+Consider three possible classes of dirmngr configuration:
+
+ a) no hkps:// keyserver URLs at all (communication with keyservers is
+ entirely in the clear)
+
+ b) hkps:// keyserver URLs, but no hkp-cacert directives
+
+ c) hkps:// keyserver URLs, and at least one hkp-cacert directive
+
+class (a) provides no confidentiality of requests.
+
+class (b) currently will never work because the server certificate
+cannot be validated.
+
+class (c) is currently supported as intended.
+
+This patch allows users with configurations in class (b) to work as
+most users expect (relying on the system certificate authorities),
+without affecting users in classes (a) or (c).
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ dirmngr/http.c | 14 +++++++++-----
+ doc/dirmngr.texi | 5 +++++
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index b767c15..18e3b72 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -591,6 +591,8 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
+ const char *errpos;
+ int rc;
+ strlist_t sl;
++ int add_system_cas = !!(flags & HTTP_FLAG_TRUST_SYS);
++ int is_hkps_pool;
+
+ rc = gnutls_certificate_allocate_credentials (&sess->certcred);
+ if (rc < 0)
+@@ -601,13 +603,13 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
+ goto leave;
+ }
+
++ is_hkps_pool = intended_hostname &&
++ !ascii_strcasecmp (intended_hostname, "hkps.pool.sks-keyservers.net");
++
+ /* If the user has not specified a CA list, and they are looking
+ * for the hkps pool from sks-keyservers.net, then default to
+ * Kristian's certificate authority: */
+- if (!tls_ca_certlist
+- && intended_hostname
+- && !ascii_strcasecmp (intended_hostname,
+- "hkps.pool.sks-keyservers.net"))
++ if (!tls_ca_certlist && is_hkps_pool)
+ {
+ char *pemname = make_filename_try (gnupg_datadir (),
+ "sks-keyservers.netCA.pem", NULL);
+@@ -640,10 +642,12 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
+ log_info ("setting CA from file '%s' failed: %s\n",
+ sl->d, gnutls_strerror (rc));
+ }
++ if (!tls_ca_certlist && !is_hkps_pool)
++ add_system_cas = 1;
+ }
+
+ /* Add system certificates to the session. */
+- if ((flags & HTTP_FLAG_TRUST_SYS))
++ if (add_system_cas)
+ {
+ #if GNUTLS_VERSION_NUMBER >= 0x030014
+ static int shown;
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index 04494a5..11bded5 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -461,6 +461,11 @@ the file is in PEM format a suffix of @code{.pem} is expected for
+ @var{file}. This option may be given multiple times to add more
+ root certificates. Tilde expansion is supported.
+
++If no @code{hkp-cacert} directive is present, dirmngr will make a
++reasonable choice: if the keyserver in question is the special pool
++ at code{hkps.pool.sks-keyservers.net}, it will use the bundled root
++certificate for that pool. Otherwise, it will use the system CAs.
++
+ @end table
+
+
diff --git a/debian/patches/easy-keyservers/0119-dirmngr-Use-a-default-keyserver-if-none-is-explicitl.patch b/debian/patches/easy-keyservers/0119-dirmngr-Use-a-default-keyserver-if-none-is-explicitl.patch
new file mode 100644
index 0000000..6f70070
--- /dev/null
+++ b/debian/patches/easy-keyservers/0119-dirmngr-Use-a-default-keyserver-if-none-is-explicitl.patch
@@ -0,0 +1,65 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 27 Oct 2016 18:25:56 -0400
+Subject: dirmngr: Use a default keyserver if none is explicitly set.
+
+* configure.ac: Define DIRMNGR_DEFAULT_KEYSERVER.
+* dirmngr/server.c (ensure_keyserver): Use it if no keyservers are set.
+* doc/dirmngr.texi: Document this behavior.
+
+--
+
+A user who doesn't specify a keyserver, but asks gnupg to fetch a key
+currently just gets a simple error messages "No keyserver available".
+
+If the user is asking to contact a keyserver, we should have a
+reasonable default, and not require them to fiddle with settings when
+they might not know what settings to choose. This patch makes the
+default hkps://hkps.pool.sks-keyservers.net.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ configure.ac | 2 ++
+ dirmngr/server.c | 3 ++-
+ doc/dirmngr.texi | 2 ++
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 634a570..b43b5ac 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1759,6 +1759,8 @@ AC_DEFINE_UNQUOTED(SCDAEMON_SOCK_NAME, "S.scdaemon",
+ [The name of the SCdaemon socket])
+ AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr",
+ [The name of the dirmngr socket])
++AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER, "hkps://hkps.pool.sks-keyservers.net",
++ [The default keyserver for dirmngr to use, if none is explicitly given])
+
+ AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix])
+
+diff --git a/dirmngr/server.c b/dirmngr/server.c
+index 2f88ff2..1bedbd8 100644
+--- a/dirmngr/server.c
++++ b/dirmngr/server.c
+@@ -1765,7 +1765,8 @@ ensure_keyserver (ctrl_t ctrl)
+ if (ctrl->server_local->keyservers)
+ return 0; /* Already set for this session. */
+ if (!opt.keyserver)
+- return 0; /* No global option set. */
++ /* No global option set. fall back to default: */
++ return make_keyserver_item (DIRMNGR_DEFAULT_KEYSERVER, &ctrl->server_local->keyservers);
+
+ for (sl = opt.keyserver; sl; sl = sl->next)
+ {
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index 11bded5..335aa58 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -276,6 +276,8 @@ service (.onion), Dirmngr selects the keyserver to use depending on
+ whether Tor is locally running or not. The check for a running Tor is
+ done for each new connection.
+
++If no keyserver is explicitly configured, dirmngr will use the
++built-in default of hkps://hkps.pool.sks-keyservers.net.
+
+ @item --nameserver @var{ipaddr}
+ @opindex nameserver
diff --git a/debian/patches/series b/debian/patches/series
index aec3aa3..6dc7751 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -114,3 +114,6 @@
0114-dirmngr-ADNS-error-handling-fix.patch
0115-common-Remove-debug-output-from-gnupg_get_socket_nam.patch
0116-dirmngr-Do-not-implement-supervised-in-Windows.patch
+easy-keyservers/0117-dirmngr-Register-hkp-cacert-even-if-the-file-doesn-t.patch
+easy-keyservers/0118-dirmngr-Add-system-CAs-if-no-hkp-cacert-is-given.patch
+easy-keyservers/0119-dirmngr-Use-a-default-keyserver-if-none-is-explicitl.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list