[Pkg-gnupg-commit] [gnupg2] 273/292: dirmngr: Add system CAs if no hkp-cacert is given

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Nov 21 06:31:51 UTC 2016


This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch master
in repository gnupg2.

commit 7c1613d41566f7d8db116790087de323621205fe
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Thu Oct 27 18:30:58 2016 -0400

    dirmngr: Add system CAs if no hkp-cacert is given
    
    * dirmngr/dirmngr.c (http_session_new): If the user isn't talking to
    the HKPS pool, and they have not specified any hkp-cacert, then we
    should default to the system CAs, rather than nothing.
    * doc/dirmngr.texi: Document choice of CAs.
    
    --
    
    Consider three possible classes of dirmngr configuration:
    
     a) no hkps:// keyserver URLs at all (communication with keyservers is
        entirely in the clear)
    
     b) hkps:// keyserver URLs, but no hkp-cacert directives
    
     c) hkps:// keyserver URLs, and at least one hkp-cacert directive
    
    class (a) provides no confidentiality of requests.
    
    class (b) currently will never work because the server certificate
    cannot be validated.
    
    class (c) is currently supported as intended.
    
    This patch allows users with configurations in class (b) to work as
    most users expect (relying on the system certificate authorities),
    without affecting users in classes (a) or (c).
    
    Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
    
    o minor indentation fix
      - wk
---
 dirmngr/http.c   | 15 ++++++++++-----
 doc/dirmngr.texi |  5 +++++
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/dirmngr/http.c b/dirmngr/http.c
index 90682fa..bc62c82 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -613,6 +613,8 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
     const char *errpos;
     int rc;
     strlist_t sl;
+    int add_system_cas = !!(flags & HTTP_FLAG_TRUST_SYS);
+    int is_hkps_pool;
 
     rc = gnutls_certificate_allocate_credentials (&sess->certcred);
     if (rc < 0)
@@ -623,13 +625,14 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
         goto leave;
       }
 
+    is_hkps_pool = (intended_hostname
+                    && !ascii_strcasecmp (intended_hostname,
+                                          "hkps.pool.sks-keyservers.net"));
+
     /* If the user has not specified a CA list, and they are looking
      * for the hkps pool from sks-keyservers.net, then default to
      * Kristian's certificate authority:  */
-    if (!tls_ca_certlist
-        && intended_hostname
-        && !ascii_strcasecmp (intended_hostname,
-                              "hkps.pool.sks-keyservers.net"))
+    if (!tls_ca_certlist && is_hkps_pool)
       {
         char *pemname = make_filename_try (gnupg_datadir (),
                                            "sks-keyservers.netCA.pem", NULL);
@@ -662,10 +665,12 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
               log_info ("setting CA from file '%s' failed: %s\n",
                         sl->d, gnutls_strerror (rc));
           }
+        if (!tls_ca_certlist && !is_hkps_pool)
+          add_system_cas = 1;
       }
 
     /* Add system certificates to the session.  */
-    if ((flags & HTTP_FLAG_TRUST_SYS))
+    if (add_system_cas)
       {
 #if GNUTLS_VERSION_NUMBER >= 0x030014
         static int shown;
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 73afbc3..bc3072c 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -461,6 +461,11 @@ the file is in PEM format a suffix of @code{.pem} is expected for
 @var{file}.  This option may be given multiple times to add more
 root certificates.  Tilde expansion is supported.
 
+If no @code{hkp-cacert} directive is present, dirmngr will make a
+reasonable choice: if the keyserver in question is the special pool
+ at code{hkps.pool.sks-keyservers.net}, it will use the bundled root
+certificate for that pool.  Otherwise, it will use the system CAs.
+
 @end table
 
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git



More information about the Pkg-gnupg-commit mailing list