[Pkg-gnupg-commit] [gnupg2] 273/292: dirmngr: Add system CAs if no hkp-cacert is given
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Nov 21 06:31:51 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit 7c1613d41566f7d8db116790087de323621205fe
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Oct 27 18:30:58 2016 -0400
dirmngr: Add system CAs if no hkp-cacert is given
* dirmngr/dirmngr.c (http_session_new): If the user isn't talking to
the HKPS pool, and they have not specified any hkp-cacert, then we
should default to the system CAs, rather than nothing.
* doc/dirmngr.texi: Document choice of CAs.
--
Consider three possible classes of dirmngr configuration:
a) no hkps:// keyserver URLs at all (communication with keyservers is
entirely in the clear)
b) hkps:// keyserver URLs, but no hkp-cacert directives
c) hkps:// keyserver URLs, and at least one hkp-cacert directive
class (a) provides no confidentiality of requests.
class (b) currently will never work because the server certificate
cannot be validated.
class (c) is currently supported as intended.
This patch allows users with configurations in class (b) to work as
most users expect (relying on the system certificate authorities),
without affecting users in classes (a) or (c).
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
o minor indentation fix
- wk
---
dirmngr/http.c | 15 ++++++++++-----
doc/dirmngr.texi | 5 +++++
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 90682fa..bc62c82 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -613,6 +613,8 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
const char *errpos;
int rc;
strlist_t sl;
+ int add_system_cas = !!(flags & HTTP_FLAG_TRUST_SYS);
+ int is_hkps_pool;
rc = gnutls_certificate_allocate_credentials (&sess->certcred);
if (rc < 0)
@@ -623,13 +625,14 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
goto leave;
}
+ is_hkps_pool = (intended_hostname
+ && !ascii_strcasecmp (intended_hostname,
+ "hkps.pool.sks-keyservers.net"));
+
/* If the user has not specified a CA list, and they are looking
* for the hkps pool from sks-keyservers.net, then default to
* Kristian's certificate authority: */
- if (!tls_ca_certlist
- && intended_hostname
- && !ascii_strcasecmp (intended_hostname,
- "hkps.pool.sks-keyservers.net"))
+ if (!tls_ca_certlist && is_hkps_pool)
{
char *pemname = make_filename_try (gnupg_datadir (),
"sks-keyservers.netCA.pem", NULL);
@@ -662,10 +665,12 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
log_info ("setting CA from file '%s' failed: %s\n",
sl->d, gnutls_strerror (rc));
}
+ if (!tls_ca_certlist && !is_hkps_pool)
+ add_system_cas = 1;
}
/* Add system certificates to the session. */
- if ((flags & HTTP_FLAG_TRUST_SYS))
+ if (add_system_cas)
{
#if GNUTLS_VERSION_NUMBER >= 0x030014
static int shown;
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 73afbc3..bc3072c 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -461,6 +461,11 @@ the file is in PEM format a suffix of @code{.pem} is expected for
@var{file}. This option may be given multiple times to add more
root certificates. Tilde expansion is supported.
+If no @code{hkp-cacert} directive is present, dirmngr will make a
+reasonable choice: if the keyserver in question is the special pool
+ at code{hkps.pool.sks-keyservers.net}, it will use the bundled root
+certificate for that pool. Otherwise, it will use the system CAs.
+
@end table
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list